I've been putting most of my research on a privately hosted page here:
http://www9.dyndns-server.com:8080/pub/botnet-links.html
(Sorry about the bad formatting and strange URL)
My very latest "OSINT research" is on the following page:
http://www9.dyndns-server.com:8080/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).
My biggest questions are:
Why is this malware known under so many different names?
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)Why aren't AV companies connecting the dots?
So I would be interested to know if these keys exist on a clean system under any circumstance?the existence or creation of a registry key, namely
"HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
and/or
"HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
INTERNET SETTINGS\6"
There has been some cooperation to create IOC's and ET snort rules to detect this malware:
https://forums.mandiant.com/topic/ioc-request-for-ponmocup-malware-botnet
http://ioc.forensicartifacts.com/2012/01/ponmocup/
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=Ponmocup
A friend of mine (from abuse.ch blog and zeustracker) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)
How Big is Big? Some Botnet Statistics
By the way, I've been tweeting about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing/
http://www.digital4rensics.com/blog/2012/02/thanks-for-sharing-indicators/
How do you share your malware and threat intelligence?
Do you know of better ways or platforms to do it?
Feedback is welcome!
Tom,
ReplyDeleteExcellent write-up! Been following your comments/work on Mandiant's IOC forum and wanted to say thanks; it's been helpful.
Joe