Friday, April 27, 2012

Hunting Ponmocup Botnet

Updated 2012-05-31: find new malware domains and IPs at the end of this post



Welcome to my third post about the ponmocup malware / botnet.

I have some more malware intel to share and also some request to other researchers as well.
Following is a list of Ponmocup redirection domains along with the domain of the hacked/infected website and date when it was discovered.

#--------------------------------------------------------------------------
# malware-domain malware-ip infected-website [date] (/cgi-bin/r.cgi)
#--------------------------------------------------------------------------
apartliberal.com - www.canadawideflowers.ca [22/Mar/2012]
apartliberal.com - www.despec.com [23/Jan/2012]
argumenthistorical.org - www.steingym.schulnetz.hamm.de [08/Feb/2012]
argumenthistorical.org - www.steingym.schulnetz.hamm.de [18/Apr/2012]
argumenthistorical.org - www.stv-neuenhof.ch [17/Jan/2012]
besidesdream.com - flowerbouquetsforweddings.com [27/Feb/2012]
besidesdream.com - www.armsnetafrica.org [25/Jan/2012]
besidesdream.com - www.flowerbouquetsforweddings.com [27/Feb/2012]
besidesdream.com - www.hillsidebeachclub.com [29/Mar/2012]
capitalinformer.com - www.hotelanderoper.com [31/Jan/2012]
capitalinformer.com 82.98.86.165 bgs-architekten.com [17/Apr/2012]
checkforsec.com 8.5.1.45 www.artistas-americanos.com [12/Apr/2012]
costslaid.com - halongtours.com [25/Jan/2012]
costslaid.com - halongtours.com [26/Jan/2012]
costslaid.com - www.dynam-med.info [05/Jan/2012]
costslaid.com - www.jenniferhejna.com [09/Feb/2012]
costslaid.com - www.krcgent.be [27/Mar/2012]
dutytraditional.net - riccardoscamarcio.org [07/Feb/2012]
dutytraditional.net - vivadasrestaurant.ch [11/Jan/2012]
dutytraditional.net - www.moebel-direkt.net [16/Jan/2012]
dutytraditional.net - www.moebel-direkt.net [17/Feb/2012]
dutytraditional.net - www.pr-klartext.de [27/Feb/2012]
dutytraditional.net - www.redtoo.com [20/Jan/2012]
dutytraditional.net - www.swisshelp.info [27/Mar/2012]
dutytraditional.net - www.vivadasrestaurant.com [02/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [03/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [09/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [11/Jan/2012]
earlyanswered.com - www.vdomil.com [30/Jan/2012]
everybodynames.org 94.63.149.247 www.kreutz-solutions.ch [16/Jan/2012]
formedtouch.com - www.voegelitherapie.com [12/Mar/2012]
gamecomes.org 94.63.149.247 www.ryandarts.de [08/Mar/2012]
handsexual.com 94.63.149.247 www.perfler.ch [10/Feb/2012]
handsexual.com 94.63.149.247 www.theleesonhotel.com [16/Jan/2012]
herocopter.com - www.aylar.no [09/Jan/2012]
herocopter.com - www.titan.vc [12/Jan/2012]
herocopter.com 199.59.241.228 www.stublla.net [23/Apr/2012]
herocopter.com 199.59.241.232 www.guatemala-tourisme.info [27/Mar/2012]
iamprotectedfrom.net - www.newtonvineyard.com [20/Apr/2012]
indanetwall.net - schoenstefaschingskostueme.com [27/Feb/2012]
indanetwall.net 199.59.241.228 www.forexonlinegeheimnisse.com [24/Apr/2012]
indanetwall.net 199.59.241.228 www.hexenkostueme.com [18/Apr/2012]
indanetwall.net 94.63.149.246 www.hexenkostueme.com [12/Jan/2012]
infernomag.com - cryptonaux.co.uk [06/Jan/2012]
infernomag.com - www.samariter-zuerich-uu.ch [24/Jan/2012]
interestingchapter.net - www.hypequest.com [16/Jan/2012]
interestingchapter.net - www.hypequest.com [17/Jan/2012]
interestingchapter.net - www.hypequest.com [21/Mar/2012]
interestingchapter.net - www.hypequest.com [30/Jan/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [13/Mar/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [23/Apr/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [29/Mar/2012]
lewisentitled.com 62.212.74.224 www.extremebusa.com [20/Feb/2012]
lewisentitled.com 62.212.74.224 www.feliceapicella.it [16/Jan/2012]
lewisentitled.com 62.212.74.224 www.lotex24.net [02/Apr/2012]
lewisentitled.com 62.212.74.224 www.lotex24.net [03/Apr/2012]
lewisentitled.com 62.212.74.224 www.ps3-fifaliga.de [13/Jan/2012]
lewisentitled.com 62.212.74.224 www.radiofreecuba.com [22/Mar/2012]
lewisentitled.com 62.212.74.224 www.thehighheelstore.com [21/Jan/2012]
metromanias.com - sixstringtheory.com [27/Jan/2012]
metromanias.com - www.boiron.ch [03/Jan/2012]
metromanias.com - www.boiron.ch [14/Jan/2012]
metromanias.com - www.midagiochi.com [26/Jan/2012]
metromanias.com - www.whuckaba.com [25/Jan/2012]
philosophymercer.com 62.212.74.228 aviationhumor.net [20/Apr/2012]
philosophymercer.com 62.212.74.228 dallasbbq.com [03/Jan/2012]
philosophymercer.com 62.212.74.228 www.football-session.com [07/Feb/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [12/Jan/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [19/Apr/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Feb/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Mar/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [31/Mar/2012]
reportedtechniques.org 94.63.149.246 mjmbooks.com [23/Feb/2012]
reportedtechniques.org 94.63.149.246 online-aste.com [13/Mar/2012]
reportedtechniques.org 94.63.149.246 online-aste.com [23/Mar/2012]
reportedtechniques.org 94.63.149.246 www.chinchillazucht.eu [02/Mar/2012]
reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [09/Jan/2012]
reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [25/Jan/2012]
reportedtechniques.org 94.63.149.246 www.mhw-bike-house.de [27/Mar/2012]
reportedtechniques.org 94.63.149.246 www.panafilmforum.com [01/Feb/2012]
reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [06/Jan/2012]
reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [24/Jan/2012]
reportedtechniques.org 94.63.149.246 www.w-en-ve.nl [19/Mar/2012]
severalcamp.com 94.63.149.246 www.stadtbredimus.lu [07/Feb/2012]
sslabssys.com 208.91.197.101 www.bestofpinball.de [17/Jan/2012]
teethalong.org 94.63.149.246 gyro-bau.ch [12/Mar/2012]
teethalong.org 94.63.149.246 gyro-bau.ch [23/Mar/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [15/Mar/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [24/Apr/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [25/Apr/2012]
teethalong.org 94.63.149.246 www.demton.hu [08/Feb/2012]
teethalong.org 94.63.149.246 www.lotusnaturalspa.ch [04/Jan/2012]
thousandmilitary.com - lemobilierdesign.com [01/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [08/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [09/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [09/Mar/2012]
thousandmilitary.com - pippatoledoshop.com [18/Feb/2012]
thousandmilitary.com - www.lemobilierdesign.com [12/Mar/2012]
thousandmilitary.com - www.lemobilierdesign.com [20/Apr/2012]
trackallnet.com - awmusic.ca [03/Mar/2012]
trackallnet.com - kueppersbusch.getware.de [07/Mar/2012]
trackallnet.com 94.63.149.246 kueppersbusch.getware.de [13/Jan/2012]
trialworld.net 69.43.161.177 www.smelugano2.ch [27/Mar/2012]
twiceseparate.com - insurancepersonalpropertyassessments.com [18/Jan/2012]
underbuild.net 94.63.149.246 rabita-ms.ch [09/Feb/2012]
underbuild.net 94.63.149.246 www.sudani.co.za [23/Apr/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [09/Mar/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [26/Jan/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [28/Feb/2012]
virtualmapping.org - www.globusgateway.ch [16/Jan/2012]
watchingsquare.com - www.comboxansagen.com [26/Mar/2012]

#--------------------------------------------------------------------------
# malware-domain malware-ip infected-website [date] (/url)
#--------------------------------------------------------------------------
52586.pballgames.com 77.79.11.96 www.apollonreisen.com [24/Apr/2012]
53771.peachtreepropainters.biz 77.79.11.96 www.flyksa.com [16/Apr/2012]
57298.learn2drive4free.com 178.211.33.203 www.autocamp-nordsee.com [19/Apr/2012]
59368.3d-tablet.cc 77.79.11.96 www.europschool.net [12/Apr/2012]
61503.3d-tablet.cc 77.79.11.96 europschool.net [26/Apr/2012]
62342.thepetserver.com 77.79.11.96 www.oceanview-house.com [24/Apr/2012]
ceprez.recycling-computers-portland.com 176.53.112.108 hellokittyfighters.de [19/Apr/2012]
fckery.getbetweenthecovers.com 178.211.33.203 www.ferienwohnung-hotels-kroatien.de [12/Apr/2012]


Of the 88 domains above, 60 servers still appear to be infected at this time.
Now part of me says "why haven't you already informed all website owners or hosters about the hacked servers?". But the other part thinks, why not use the hacked servers to get some more current trojan-downloader samples and infect some (VM) clients to study the C&C traffic and create new network indicators (since the "old" ET Snort rules seem ineffective now).

Well, and that's the challenge or request to other malware researchers, since I haven't been able to successfully download any samples recently.

I've shown in the wget logs how you can (try to) download an infector sample. Try it from a "home IP" and/or a "corporate IP-range" (should be safe with wget), you might get different results.

Actually, after taking a closer look at the files downloaded by wget, it looks like the malware download would only work with a browser. Take a look at the scripts at the end of one file.

So you probably won't get the malware using wget anymore.

When infecting a client, try using a corporate IP-, DNS-, Domain-config, since I believe "ipconfig" is called by the trojan-downloader and the further behaviour could depend on the ipconfig output.

If you're interested in researching this malware / botnet and are able to do any of the above mentioned I'd be very interested to hear from you.

Thanks for any help or feedback!

@c_APT_ure

Updated 2012-04-30:

I've collected some of my tweets about the Ponmocup malware here on Storify:
http://storify.com/c_APT_ure/a-v-failed-for-ponmocup-malware

So I found a new source of malware today, virusshare.com, thanks to Ken!
Searching for "ponmocup" I got 160 results, but I could download only 20.

Updated 2012-05-13:
I received the results for all 160 Ponmocup samples. See additional stats at the end.

Here is an analysis of the A/V detections of these 20 samples:

20 Panda
20 NOD32
20 Ikarus
20 GData
20 F-Secure
20 Emsisoft
20 DrWeb
20 BitDefender
20 Avast
19 Norman
19 Kaspersky
19 Fortinet
19 Comodo
19 AntiVir
19 AhnLab-V3
19 AVG
18 TrendMicro-HouseCall
18 TrendMicro
18 Microsoft
18 K7AntiVirus
17 nProtect
17 VIPRE
17 McAfee-GW-Edition
17 McAfee
17 Jiangmin
15 VirusBuster
15 Symantec
15 Sophos
14 VBA32
14 TheHacker
14 PCTools
11 F-Prot
11 Commtouch
10 SUPERAntiSpyware
9 Rising
9 ClamAV
9 Antiy-AVL
8 eTrust-Vet
8 ViRobot
6 ByteHero
5 eSafe
3 CAT-QuickHeal


And the detections are:

1 AVG = Downloader.Generic10.BMDC
1 AVG = Downloader.Generic10.BOLE
1 AVG = Downloader.Small.62.D
1 AVG = Dropper.Generic4.BXSO
8 AVG = Dropper.VB.CMD
1 AVG = Generic22.JDH
1 AVG = Generic25.AFPK
1 AVG = Generic25.AIJK
1 AVG = Generic25.BRLU
1 AVG = Generic25.BTFX
1 AVG = Generic25.BTHJ
1 AVG = Suspicion: unknown virus
1 AhnLab-V3 = Trojan/Win32.HDC
2 AhnLab-V3 = Trojan/Win32.Jorik
1 AhnLab-V3 = Trojan/Win32.Monder
5 AhnLab-V3 = Trojan/Win32.Pirminay
8 AhnLab-V3 = Trojan/Win32.Swisyn
1 AhnLab-V3 = Win-Trojan/Pirminay.313344.M
1 AhnLab-V3 = Win-Trojan/Pirminay.438601
1 AntiVir = TR/Crypt.XPACK.Gen
1 AntiVir = TR/Dldr.Ponmocup.A.393
1 AntiVir = TR/Downloader.Gen
1 AntiVir = TR/Graftor.1139.2
1 AntiVir = TR/Graftor.3421.1
1 AntiVir = TR/Graftor.3421.2
1 AntiVir = TR/Monder.mzyl
1 AntiVir = TR/Pirminay.bg.2
1 AntiVir = TR/Pirminay.bhf
1 AntiVir = TR/Pirminay.bhy
1 AntiVir = TR/Spy.438876.1
8 AntiVir = TR/VB.Downloader.Gen
2 Antiy-AVL = Trojan/Win32.Jorik
1 Antiy-AVL = Trojan/Win32.Jorik.gen
1 Antiy-AVL = Trojan/Win32.Monder
1 Antiy-AVL = Trojan/Win32.Pirminay
3 Antiy-AVL = Trojan/Win32.Pirminay.gen
1 Antiy-AVL = Trojan/win32.agent
8 Avast = Win32:Hosts-J [Trj]
1 Avast = Win32:Kryptik-WL [Trj]
1 Avast = Win32:MalOb-EI [Cryp]
7 Avast = Win32:Malware-gen
1 Avast = Win32:Pirminay-DW [Trj]
1 Avast = Win32:Spyware-gen [Spy]
1 Avast = Win32:Trojan-gen
1 BitDefender = Backdoor.Generic.542938
1 BitDefender = Gen:Variant.Graftor.1139
1 BitDefender = Gen:Variant.Graftor.3421
1 BitDefender = Gen:Variant.Vundo.11
1 BitDefender = Trojan.Generic.5274711
1 BitDefender = Trojan.Generic.6148391
2 BitDefender = Trojan.Generic.6270838
1 BitDefender = Trojan.Generic.6764589
1 BitDefender = Trojan.Generic.6871065
1 BitDefender = Trojan.Generic.6892427
1 BitDefender = Trojan.Generic.KD.393940
8 BitDefender = Trojan.QHosts.AVD
5 ByteHero = Trojan.Win32.Heur.Gen
1 ByteHero = Virus.Win32.Heur.p
1 CAT-QuickHeal = Trojan.Jorik.Pirminay.aoq
1 CAT-QuickHeal = Trojan.Monder.mzyl
1 CAT-QuickHeal = TrojanDownloader.Ponmocup.a
1 ClamAV = Trojan.Agent-183385
8 ClamAV = Trojan.VB-43290
2 Commtouch = W32/FakeAlert.FT.gen!Eldorado
1 Commtouch = W32/FakeAlert.LP.gen!Eldorado
8 Commtouch = W32/Swisyn.E.gen!Eldorado
8 Comodo = TrojWare.Win32.Swisyn.C
5 Comodo = TrojWare.Win32.Trojan.Agent.Gen
6 Comodo = UnclassifiedMalware
1 DrWeb = Trojan.DownLoader5.4289
1 DrWeb = Trojan.DownLoader5.5892
1 DrWeb = Trojan.Fakealert.26434
1 DrWeb = Trojan.Hosts.2582
9 DrWeb = Trojan.Hosts.303
1 DrWeb = Trojan.MulDrop1.59103
4 DrWeb = Trojan.WinSpy.1014
2 DrWeb = Trojan.WinSpy.origin
1 Emsisoft = Riskware.AdWare.Win32.SuperJuan!IK
6 Emsisoft = Trojan-Downloader.Win32.Ponmocup!IK
1 Emsisoft = Trojan.Pirminay!IK
4 Emsisoft = Trojan.Win32.Pirminay!IK
8 Emsisoft = Trojan.Win32.Swisyn!IK
2 F-Prot = W32/FakeAlert.FT.gen!Eldorado
1 F-Prot = W32/FakeAlert.LP.gen!Eldorado
8 F-Prot = W32/Swisyn.E.gen!Eldorado
1 F-Secure = Backdoor.Generic.542938
1 F-Secure = Gen:Variant.Graftor.1139
1 F-Secure = Gen:Variant.Graftor.3421
1 F-Secure = Gen:Variant.Vundo.11
1 F-Secure = Trojan.Generic.5274711
1 F-Secure = Trojan.Generic.6148391
2 F-Secure = Trojan.Generic.6270838
1 F-Secure = Trojan.Generic.6764589
1 F-Secure = Trojan.Generic.6871065
1 F-Secure = Trojan.Generic.6892427
1 F-Secure = Trojan.Generic.KD.393940
8 F-Secure = Trojan.QHosts.AVD
1 Fortinet = PossibleThreat
1 Fortinet = W32/Evx.BG!tr
1 Fortinet = W32/Jorik_Pirminay.ANO!tr
1 Fortinet = W32/Kryptik.ANL!tr
1 Fortinet = W32/Malware_fam.NB
1 Fortinet = W32/Monder.MZYL!tr
2 Fortinet = W32/Pirminay.A!tr
1 Fortinet = W32/Ponmocup.A
1 Fortinet = W32/Ponmocup.AA
8 Fortinet = W32/Swisyn.CQV!tr
1 Fortinet = W32/Virtum!tr
1 GData = Backdoor.Generic.542938
1 GData = Gen:Variant.Graftor.1139
1 GData = Gen:Variant.Graftor.3421
1 GData = Gen:Variant.Vundo.11
1 GData = Trojan.Generic.5274711
1 GData = Trojan.Generic.6148391
2 GData = Trojan.Generic.6270838
1 GData = Trojan.Generic.6764589
1 GData = Trojan.Generic.6871065
1 GData = Trojan.Generic.6892427
1 GData = Trojan.Generic.KD.393940
8 GData = Trojan.QHosts.AVD
6 Ikarus = Trojan-Downloader.Win32.Ponmocup
1 Ikarus = Trojan.Pirminay
4 Ikarus = Trojan.Win32.Pirminay
8 Ikarus = Trojan.Win32.Swisyn
1 Ikarus = not-a-virus:AdWare.Win32.SuperJuan
2 Jiangmin = Trojan/Generic.kfzm
1 Jiangmin = Trojan/Generic.kkfx
2 Jiangmin = Trojan/Generic.knvv
1 Jiangmin = Trojan/Pirminay.gr
1 Jiangmin = Trojan/Pirminay.gs
1 Jiangmin = Trojan/Pirminay.up
8 Jiangmin = Trojan/Swisyn.cby
1 Jiangmin = TrojanDownloader.Agent.ctuc
6 K7AntiVirus = Riskware
12 K7AntiVirus = Trojan
2 Kaspersky = HEUR:Trojan.Win32.Generic
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.ano
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.aoq
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.avy
1 Kaspersky = Trojan.Win32.Monder.mzyl
1 Kaspersky = Trojan.Win32.Pirminay.bg
1 Kaspersky = Trojan.Win32.Pirminay.bhy
1 Kaspersky = Trojan.Win32.Pirminay.cub
1 Kaspersky = Trojan.Win32.Pirminay.hjy
1 Kaspersky = Trojan.Win32.Pirminay.hlu
8 Kaspersky = Trojan.Win32.Swisyn.jyb
1 McAfee = Downloader.a!bu
1 McAfee = Downloader.a!cc
1 McAfee = Downloader.a!vz
1 McAfee = Generic Downloader.x!g2z
1 McAfee = Generic.dx!yak
1 McAfee = Generic.evx!bd
2 McAfee = Generic.evx!bg
1 McAfee = Kryp.b
8 McAfee = Swisyn.s
1 McAfee-GW-Edition = Downloader.a!cc
1 McAfee-GW-Edition = Generic Downloader.x!g2z
1 McAfee-GW-Edition = Generic.dx!yak
1 McAfee-GW-Edition = Generic.evx!bd
2 McAfee-GW-Edition = Generic.evx!bg
4 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.A
1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.D
1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.H
1 McAfee-GW-Edition = Heuristic.LooksLike.Trojan.Dropper.B
1 McAfee-GW-Edition = Kryp.b
3 McAfee-GW-Edition = Swisyn.s
1 Microsoft = Trojan:Win32/Meredrop
16 Microsoft = TrojanDownloader:Win32/Ponmocup.A
1 Microsoft = TrojanDownloader:Win32/Renos.KC
2 NOD32 = Win32/Ponmocup.AA
8 NOD32 = Win32/Qhost.NRX
2 NOD32 = Win32/TrojanDownloader.Agent.PXO
1 NOD32 = a variant of Win32/Kryptik.LLT
1 NOD32 = a variant of Win32/Kryptik.SWI
1 NOD32 = a variant of Win32/Kryptik.UFA
1 NOD32 = a variant of Win32/Kryptik.VDN
3 NOD32 = a variant of Win32/Ponmocup.AA
1 NOD32 = probably a variant of Win32/Agent.BTILRDN
8 Norman = W32/DLoader.ACMAD
3 Norman = W32/Kryptik.AIF
8 Norman = W32/Obfuscated.L
8 PCTools = Malware.Changeup
5 PCTools = Trojan.Gen
1 PCTools = Trojan.Milicenso
3 Panda = Generic Trojan
2 Panda = Suspicious file
1 Panda = Trj/Agent.OLO
6 Panda = Trj/CI.A
8 Panda = Trj/Qhost.LU
1 Rising = Trojan.Win32.Generic.129CDFF1
8 Rising = Trojan.Win32.QHost.awf
1 SUPERAntiSpyware = Trojan.Agent/Gen-Falcomp[RE]
2 SUPERAntiSpyware = Trojan.Agent/Gen-Falprod[RE]
5 SUPERAntiSpyware = Trojan.Agent/Gen-HackHost
2 SUPERAntiSpyware = Trojan.Agent/Gen-Qhost
2 Sophos = Mal/Generic-L
1 Sophos = Mal/Ponmocup-A
8 Sophos = Mal/Swisyn-D
1 Sophos = Sus/Behav-278
1 Sophos = Troj/Ponmo-A
2 Sophos = Troj/Virtum-Gen
1 Symantec = Suspicious.Cloud
5 Symantec = Trojan.Gen
1 Symantec = Trojan.Milicenso
7 Symantec = W32.Changeup!gen
1 Symantec = WS.Reputation.1
1 TheHacker = Trojan/Downloader.Agent.pxo
1 TheHacker = Trojan/Kryptik.vdn
1 TheHacker = Trojan/Pirminay.bhf
1 TheHacker = Trojan/Pirminay.bhy
1 TheHacker = Trojan/Pirminay.fwy
1 TheHacker = Trojan/Ponmocup.aa
8 TheHacker = Trojan/Swisyn.jyb
8 TrendMicro = TROJ_FAM_00001e3.TOMA
1 TrendMicro = TROJ_GEN.R11C7KB
1 TrendMicro = TROJ_GEN.R21C2F4
1 TrendMicro = TROJ_GEN.R21C2FE
1 TrendMicro = TROJ_GEN.R23C3BD
1 TrendMicro = TROJ_GEN.R3BCRBR
1 TrendMicro = TROJ_GEN.R47C7K8
1 TrendMicro = TROJ_GEN.R47C7KE
1 TrendMicro = TROJ_GEN.R4AC7KK
1 TrendMicro = TROJ_PONMOCUP.AB
1 TrendMicro = TROJ_PONMOCUP.AC
8 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA
1 TrendMicro-HouseCall = TROJ_GEN.R11C7KB
1 TrendMicro-HouseCall = TROJ_GEN.R21C2F4
1 TrendMicro-HouseCall = TROJ_GEN.R21C2FE
1 TrendMicro-HouseCall = TROJ_GEN.R23C3BD
1 TrendMicro-HouseCall = TROJ_GEN.R3BCRBR
1 TrendMicro-HouseCall = TROJ_GEN.R47C7K8
1 TrendMicro-HouseCall = TROJ_GEN.R47C7KE
1 TrendMicro-HouseCall = TROJ_GEN.R4AC7KK
1 TrendMicro-HouseCall = TROJ_PONMOCUP.AB
1 TrendMicro-HouseCall = TROJ_PONMOCUP.AC
1 VBA32 = SScope.Trojan.Pirminay.chc
8 VBA32 = SScope.Trojan.VB.0609
1 VBA32 = Trojan.Fksys.81105
1 VBA32 = Trojan.Jorik.Pirminay.ano
1 VBA32 = Trojan.Pirminay.bg
1 VBA32 = Trojan.Pirminay.cta
1 VBA32 = Trojan.Pirminay.fwz
1 VIPRE = Trojan-Downloader.Win32.Agent.ecjo (v)
7 VIPRE = Trojan.Win32.Generic!BT
1 VIPRE = Trojan.Win32.Monder.gen
8 VIPRE = Trojan.Win32.Swisyn.jyb (v)
8 ViRobot = Trojan.Win32.Swisyn.65024
1 VirusBuster = Trojan.Kryptik!XPYaFkgQJuY
1 VirusBuster = Trojan.Kryptik!YhtS8OcgDPE
1 VirusBuster = Trojan.Monder!KTXAshYxjGA
1 VirusBuster = Trojan.Pirminay!1T9hymiWPH0
1 VirusBuster = Trojan.Ponmocup!Qf/SCxIUIDk
1 VirusBuster = Trojan.Ponmocup!lGJTkqsZNdg
8 VirusBuster = Trojan.Swisyn!whPY1JLc4mw
1 VirusBuster = TrojanSpy.Agent!jdleA1Gsspg
1 eSafe = Win32.GenVariant.Gra
1 eSafe = Win32.HEURCrypted.E
1 eSafe = Win32.Milicenso
1 eSafe = Win32.TRGraftor
1 eSafe = Win32.Trojan
8 eTrust-Vet = Win32/Swisyn.R
1 nProtect = Backdoor/W32.Agent.294341
3 nProtect = Gen:Variant.Graftor.3421
1 nProtect = Trojan/W32.Jorik.219136.B
1 nProtect = Trojan/W32.Jorik.236032.B
1 nProtect = Trojan/W32.Jorik.243712.D
1 nProtect = Trojan/W32.Pirminay.17176
1 nProtect = Trojan/W32.Pirminay.313344
1 nProtect = Trojan/W32.Pirminay.438601
1 nProtect = Trojan/W32.QHosts.122880
1 nProtect = Trojan/W32.QHosts.147456
1 nProtect = Trojan/W32.Swisyn.126976.G
1 nProtect = Trojan/W32.Swisyn.157184
1 nProtect = Trojan/W32.Swisyn.184320.I
1 nProtect = Trojan/W32.Swisyn.241664.F
1 nProtect = Trojan/W32.Swisyn.79872


There is only one A/V product that recognized more than half the samples with the same detection name:

16 Microsoft = TrojanDownloader:Win32/Ponmocup.A

The samples MD5 are:

MD5 c23425f852e3ad188effc205317142fc
MD5 bb479a7e69c5e1c503aa6dd506c732f3
MD5 9e08f52039eeacf7f3e8696046358684
MD5 97a1acc085849c0b9af19adcf44607a7
MD5 f8fd20b40667882e9e7301fb76b890c0
MD5 4734169e48df4fea56bce65ec0e56066
MD5 fcac6af96d814f68c9a48d9cc5ad91ed
MD5 f7efabd89d9b4d4ee3f3b4875c11b47c
MD5 ffe728d69c233b6f09b016084be62270
MD5 edf380c2b7526cf521818af7d1ea6727
MD5 e918c9bd0093b52590c3c93751a84b56
MD5 e5dfa7c6ef3b2853a98f02178ffbfed8
MD5 cc699a17b1f9fc43d419f2d8cbf1e24b
MD5 b8a3097df22fe768639738fbf1afca98
MD5 b6babab0cbcc42a07d89df325ddeccdf
MD5 a939841b8e4724d1b0163b30f0d9baec
MD5 651589d6999c4017c8f42a9cabdb5a85
MD5 5e501ecbadd0a9d0f380f918f1c4986e
MD5 5b9ece2e5d16bdcb86e3ad8b3259991a
MD5 58d7c19e16e421440e372780832ecf61


And here are some more file details.


Updated 2012-05-13:
I received the results for all 160 Ponmocup samples. See additional stats at the end.

Here the number of detections of 160 samples for each A/V:

    158 GData
    158 BitDefender
    157 Ikarus
    155 AntiVir
    154 NOD32
    153 F-Secure
    151 AVG
    149 Avast
    148 VIPRE
    146 Panda
    145 Microsoft
    145 McAfee-GW-Edition
    141 McAfee
    141 Comodo
    140 AhnLab-V3
    138 Sophos
    138 Norman
    137 nProtect
    136 Kaspersky
    134 TrendMicro-HouseCall
    133 TrendMicro
    133 Emsisoft
    132 K7AntiVirus
    130 Symantec
    127 Jiangmin
    124 PCTools
    123 TheHacker
    123 Fortinet
    114 VirusBuster
    101 Avast5
    100 DrWeb
     99 Antiy-AVL
     88 VBA32
     78 CAT-QuickHeal
     65 SUPERAntiSpyware
     55 F-Prot
     55 Commtouch
     52 Rising
     46 eSafe
     34 eTrust-Vet
     34 ViRobot
     27 ClamAV
     12 ByteHero
      3 Prevx


Here the top 25 of detections with the same name:

    136 Microsoft = TrojanDownloader:Win32/Ponmocup.A
    106 Ikarus = Trojan.Win32.Pirminay
     96 VIPRE = Trojan.Win32.Generic!BT
     86 Emsisoft = Trojan.Win32.Pirminay!IK
     76 Comodo = TrojWare.Win32.Trojan.Agent.Gen
     76 Antiy-AVL = Trojan/Win32.Pirminay.gen
     74 Norman = W32/Obfuscated.L
     70 Panda = Trj/CI.A
     67 K7AntiVirus = Riskware
     63 K7AntiVirus = Trojan
     57 PCTools = Trojan.Gen
     56 Sophos = Mal/Generic-L
     52 Symantec = Trojan.Gen
     34 Avast = Win32:Malware-gen
     34 AhnLab-V3 = Trojan/Win32.Pirminay
     32 Sophos = Mal/Ponmocup-A
     32 NOD32 = Win32/TrojanDownloader.Agent.PXO
     32 Comodo = UnclassifiedMalware
     31 NOD32 = Win32/Qhost.NRX
     31 DrWeb = Trojan.Hosts.303
     30 eTrust-Vet = Win32/Swisyn.R
     30 VirusBuster = Trojan.Swisyn!whPY1JLc4mw
     30 ViRobot = Trojan.Win32.Swisyn.65024
     30 VIPRE = Trojan.Win32.Swisyn.jyb (v)
     30 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA

Some A/V use these common names (Ponmocup, Pirminay, Swisyn) but with numbering the variants. Here are the number of different variants per A/V:

     53 AhnLab-V3
     40 AntiVir
      3 Antiy-AVL
     10 Avast
      8 Avast5
     56 CAT-QuickHeal
      1 ClamAV
      2 Commtouch
      1 Comodo
      4 Emsisoft
      2 F-Prot
     33 Fortinet
      4 Ikarus
     57 Jiangmin
     95 Kaspersky
      1 McAfee
      1 McAfee-GW-Edition
      1 Microsoft
      2 NOD32
      1 Panda
      3 Sophos
     60 TheHacker
      2 TrendMicro
      2 TrendMicro-HouseCall
     45 VBA32
      2 VIPRE
      3 ViRobot
     21 VirusBuster
      1 eSafe
      3 eTrust-Vet
     58 nProtect


Highlighted are some A/V with the most detections under one well-known name, some variants of a well-known name, or some generic name.

You can make of this statistic whatever you like.


Updated 2012-05-30:

Here is a list of Ponmocup redirection domains & IPs from April and May 2012:

2012-04-02 *.americancollegefootballleague.com 178.211.33.203
2012-04-02 *.peachtreepropainters.biz 77.79.11.96
2012-04-03 *.albinopleco.com 178.211.33.203
2012-04-03 *.peachtreepropainters.biz 77.79.11.96
2012-04-04 *.3d-tablet.cc 77.79.11.96
2012-04-05 *.peachtreepropainters.biz 77.79.11.96
2012-04-05 *.nnan.co 178.211.33.203
2012-04-10 *.peachtreepropainters.biz 77.79.11.96
2012-04-10 *.peachtreepropainters.biz 77.79.11.96
2012-04-11 *.peachtreepropainters.biz 77.79.11.96
2012-04-11 (fckery)*.getbetweenthecovers.com 178.211.33.203
2012-04-12 *.3d-tablet.cc 77.79.11.96
2012-04-12 (fckery)*.getbetweenthecovers.com 178.211.33.203
2012-04-16 *.peachtreepropainters.biz 77.79.11.96
2012-04-19 *.learn2drive4free.com 178.211.33.203
2012-04-19 (ceprez)*.recycling-computers-portland.com 176.53.112.108
2012-04-24 *.pballgames.com 77.79.11.96
2012-04-24 *.thepetserver.com 77.79.11.96
2012-04-26 *.3d-tablet.cc 77.79.11.96
2012-04-27 *.albinopleco.com 178.211.33.203
2012-05-01 *.crisisice.com 77.79.11.96
2012-05-02 (beawnca)*.buildyourbankaccount.com 178.211.33.202
2012-05-03 *.arizonabettas.com 178.211.33.203
2012-05-03 *.arizonabettas.com 178.211.33.203
2012-05-03 *.akitahusky.net 77.79.11.96
2012-05-10 *.arizonabettas.com 178.211.33.203
2012-05-11 *.customshowerdoorandclosets.com 176.53.112.107
2012-05-11 (vrizasita)*.savegrady.com 178.211.33.203
2012-05-15 (fliboyshit)*.zk28wines.com 178.211.33.205
2012-05-18 (belchar)*.psychicreadingstexas.com 178.211.33.205
2012-05-18 (fliboyshit)*.zk28wines.com 178.211.33.205
2012-05-19 *.peachtreepropainters.biz 77.79.11.96
2012-05-22 *.customshowerdoorandclosets.com 176.53.112.107
2012-05-23 (elianis)*.funfitnessconcepts.com 178.211.33.205
2012-05-24 *.learn2drive4free.com 178.211.33.203
2012-05-25 *.soroki.info 176.53.112.108
2012-05-25 *.3d-tablet.cc 77.79.11.96
2012-05-25 (derhana)*.ottawaapplianceservice.com 178.211.33.205
2012-05-29 (alqssas)*.kmpowersports.com 178.211.33.205


Since 2012-05-15 a new IP (178.211.33.205) has been used and several new domains.
The "*" subdomain is in place of the source-port number (4 - 5 digits), but recently I've seen some random alpha-char subdomains (e.g. "fliboyshit.zk28wines.com") which I've noted as "(random-alpha)*".

And here are some more infected servers: (malware-domain / infected-server-domain)

Using "/cgi-bin/r.cgi" redirection pattern:

herocopter.com  www.drdracingheads.com
earlyanswered.com  skyfield.eu
earlyanswered.com  www.thorenberg.ch
costslaid.com  www.comedy-hamburg.de
teethalong.org  www.brautwelt.com

Using "/url" redirection pattern:

turboldd.greensforum.com  www.tanz-tschui.ch
64890.customshowerdoorandclosets.com  www.novoglas.ch
elianis.funfitnessconcepts.com  shop.wiltec.info
62708.dancearkansas.com  www.westcoastsports.ca
40172.learn2drive4free.com  www.autocamp-nordsee.com
61136.3d-tablet.cc  www.europschool.net

54280.soroki.info  citv.nl
derhana.ottawaapplianceservice.com  www.zur-sonne.de
alqssas.kmpowersports.com  www.real-art.ch


The infection can still be verified with some online services like urlquery.net or Wepawet as this example shows: (for this type of infection urlvoid.com is ineffective!)

http://www.urlvoid.com/scan/zur-sonne.de/
Detections     0/32 (0.00%)
Status     CLEAN  -- is wrong!

http://urlquery.net/report.php?id=61463
http://urlquery.net/domainmap.php?id=61463

GET / HTTP/1.1
Host: www.zur-sonne.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.ch/search?q=search

HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 30 May 2012 19:58:03 GMT
Server: Apache
Set-Cookie: wXu=88; path=/; domain=www.zur-sonne.de; expires=Thu, 07-Jun-2012 06:43:03 GMT
Location: http://derhana.ottawaapplianceservice.com/url?sa=D&source=web&cd=40&ved=0Y0njnzC0&url=http://www.zur-sonne.de/&ei=2ZIhfanJ4a20qo2MzFI19pu1pw==&usg=VtQuEf-ZH8RtWK5VeBWaYx&sig2=TcdEGbs2CczezFymxobGQs
Content-Length: 409
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive


http://www.urlvoid.com/scan/brautwelt.com/
Detections     0/32 (0.00%)
Status     CLEAN  -- is wrong!

http://urlquery.net/report.php?id=61035
http://urlquery.net/domainmap.php?id=61035

http://wepawet.cs.ucsb.edu/view.php?hash=7bd389d100b214c2c3d828a625a4d960&t=1338367510&type=js

So much for now, will update later :)


Updated 2012-05-31: new IP in new AS from Ukraine

Since yesterday there seems to be a new domain and IP used for redirection.

*.suncoastintegration.com / 91.207.4.51

http://urlquery.net/report.php?id=61824
http://urlquery.net/domainmap.php?id=61824

GET / HTTP/1.1
Host: www.haar-kosmetik-elke.at
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.ch/search?q=haare elke

HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 31 May 2012 15:22:26 GMT
Server: Apache
Set-Cookie: ycg=7; path=/; domain=www.haar-kosmetik-elke.at; expires=Thu, 07-Jun-2012 22:09:26 GMT
Location: http://64818.suncoastintegration.com/url?sa=D&source=web&cd=35&ved=0Uwyx0bHq&url=http://www.haar-kosmetik-elke.at/&ei=2ZIve67N5qe9r42LzFUw9Ju1pA==&usg=qxAULtLuZCKhxlKx8jozeI&sig2=Xbx4cH8V3ygWhtyx7magT7
Content-Length: 488
Connection: close



No comments:

Post a Comment