Wednesday, June 27, 2012

History of Ponmocup Malware / Botnet

This is a history of some events and publications about the Ponmocup malware or botnet.
(work in progress -- will get updated eventually)

There are many aliases from different A/V vendors as previously mentioned on my blog
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo, Monder, Virtumonde/Virtumondo etc.).
The most often used lately is "Trojan Milicenso" by Symantec, which has a good blog post and detection description about it..
And it's been around at least since 2009, not just 2010 as mentioned in several places.

Update 2012-08-13: there have been some more related posts published since my original post

2012-07-02: Symantec blog "Printer Madness: W32.Printlove Video"

2012-06-25: ComputerWorld article "Malware infection forces printers to print garbled data"
2012-06-25: ITWorld "Printer malware – Wingdings gone wild"

2012-06-23: The Hacker News "Trojan.Milicenso - Printer Trojan cause massive printing"

2012-06-22: ZDNet "Thousands of office printers hit by 'gibberish' malware"
2012-06-22: Bloomberg Tech Blog "When Hackers Fumble: ‘Printer Bomb’ Noisily Announces Attack"
2012-06-22: NET-Security "Trojan infection triggers massive printing jobs"

2012-06-21: ARStechnica "Printer bomb malware wastes reams of paper, sparks pandemonium"
2012-06-21: SANS ISC diary "Print Bomb? (Take 2)"
2012-06-21: Symantec blog "Trojan.Milicenso: A Paper Salesman’s Dream Come True"

2012-06-14: Symantec KB article "Malware is causing network printers to print random ASCII characters"

2012-06-13: Mcafee Threat Advisory "Vundo"

2012-06-08: SANS ISC diary "Print Bomb?" (see also comments)
2012-06-08: Symantec forum thread "Print server gone wild"

2012-06-07: McAfee community forum thread "Printer Virus?"

2012-06-03: c-APT-ure blog post "Introducing Ponmocup-Finder"

2012-05-16: Sophos detection "Troj/Ponmocup-F"

2012-04-27: c-APT-ure blog post "Hunting Ponmocup Botnet"

2012-04-13: Collection of my tweets on Storify "A/V failed for Ponmocup malware!?"

2012-04-08: IOC on ForensicArtifacts.com "Ponmocup IOC released"

2012-03-08: c-APT-ure blog post "Ponmocup, lots changed, but not all"

2012-02-20: Ponmocup analysis page created "Why so many diff A/V detections?"

2012-02-18: c-APT-ure blog post "Not APT, but nasty malware (Ponmocup botnet)"

2011-11-15: Mandiant forum thread started "IOC request for Ponmocup malware (botnet)"

2011-05-30: created web page "Collection of links related to the Ponmocup botnet"

2011-05-23: Abuse.ch blog "How Big is Big? Some Botnet Statistics"

2011-04-22: TrendMicro detection "TSPY_PIRMINAY.A"

2011-04-21: Malware Survival "Media Site Pimping Malware"

2011-04-20: Sophos detection "Mal/Ponmocup-A" (detailed analysis of 3 samples)

2010-12-06: SPAMfighter news: "New Trojan Blocks Access To Bittorrent Websites: Webroot"

2010-11-25: Softpedia news "The Pirate Bay and Mininova Blocked by Mysterious New Trojan"

2010-11-24: Webroot blog "Troublesome Trojan Trammels Torrent Sites"

2010-07-14: Symantec detection created "Trojan.Milicenso"

2010-06-04: Microsoft MPC Encyclopedia entry "TrojanDownloader:Win32/Ponmocup.A"

2010-03-19: Sophos detection "Troj/Mdrop-CLC"

2009-12-30: Microsoft MPC Detection initially created "TrojanDropper:Win32/Ponmocup.A"

2009-11-22: Microsoft MPC Detection initially created "TrojanDownloader:Win32/Ponmocup.A"

Please report any broken (or obviously wrong) links, thanks.

Feedback and questions are welcome!

@c_APT_ure

No comments:

Post a Comment