Saturday, February 18, 2012

Not APT, but nasty malware (Ponmocup botnet)

For once I don't write about APT, but about some nasty malware / botnet that I've been researching for almost a year. It's been called "Ponmocup botnet", but the malware has been called many different names (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc).

I've been putting most of my research on a privately hosted page here:
http://www9.dyndns-server.com:8080/pub/botnet-links.html
(Sorry about the bad formatting and strange URL)

My very latest "OSINT research" is on the following page:
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).

My biggest questions are:
  • Why is this malware known under so many different names?
    
    (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)
  • Why aren't AV companies connecting the dots? 
There is one indicator (registry key) that I believe to be very effective and accurate, but I don't have and hard evidence (besides all these analysis reports) to support this.
the existence or creation of a registry key, namely

"HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
and/or
"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
So I would be interested to know if these keys exist on a clean system under any circumstance?

There has been some cooperation to create IOC's and ET snort rules to detect this malware:

https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet
http://ioc.forensicartifacts.com/2012/01/ponmocup/
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup

A friend of mine (from abuse.ch blog and zeustracker) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)
How Big is Big? Some Botnet Statistics

By the way, I've been tweeting about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/

How do you share your malware and threat intelligence?
Do you know of better ways or platforms to do it?

Feedback is welcome!