Sunday, December 15, 2013

Ponmocup Hunter is (re-)tired

Update: Video from BotConf talk available now :-) (see below)

For over two and a half years now, since March 2011, I've been researching and analysing this Ponmocup malware, which has so many different names. During this time I've written several blog posts, malware analyses [1, 2], a "Ponmocup Finder" tool and published (CIF) feeds of malware domains.

This year I have given three presentations called "My name is Hunter, Ponmocup Hunter", and each talk was different in some ways. To get the most out of all you may want to view the slides in chronological order, or you can just skip to the latest and most complete one from BotConf (although previous ones had more details about certain things).

The BotConf talk was video recorded and hopefully soon I will be able to review the video and decide if I want to release it or not. (Tweet me if you would like to see it for sure)

I recieved some very nice feedback after every presentation, here one of my favorite one:

My public work is done (at least for a while, who knows), but the fight against this botnet has just begun. If you have first hand knowledge about this malware (most commonly known probably as Vundo) please ask to join the Ponmocup Botnet Working Group which has been formed for this reason.

Update 2013-12-29:

There have been some great blog posts about the delivery of Ponmocup called Zuponcic Kit:

by Malwageddon

by Maarten van Dantzig, Yonathan Klijnsma & Barry Weymes (Fox-IT)

In February at SAS2013 Eugene Aseev from Kaspersky Labs presented "The Hidden Bot", which also highlights the fact, that this malware / botnet is not well known and researched (yet). Unfortunately, the PDF doesn't show all details from the presentation, so if you would like the full-featured PPT version, please contact Eugene or me.

This post is a work in progress mostly just to link to my presentations and I will update it for a while, when new details become available.

Update 2014-01-30:

The video recorded from my latest "Ponmocup Hunter" talk at BotConf has been made publically available. Thanks to Frederic (@udgover) for the hard work put into making the video.

Just a couple warnings before linking to the video:

1) I don't consider myself a great nor experienced speaker. I was still very nervous for every talk, but during the talk it got better.

2) I had a very hoarse voice during my BotConf presentation because I was talking too much and too loud the night before with many great speakers and attendees at the dinner event.

So hopefully you keep this in mind when watching the video and can see past it. I was giving the talk because I wanted to make more people aware of this botnet, and looking at the activity in my working group I think I succeeded with that.

So without further ado, I hope you like the video !

Also check out the other BotConf videos available.

I also like this picture from my talk at DeepSec :-)


Tuesday, June 25, 2013

Free DFIR Summit ticket contest

Sorry guys and gals, the contest ended prematurely and a winner has been chosen and notified already. So no more submissions will be processed.

This may end up being just a temporary blog post for this one reason...

SANS generously offered me a complementary DFIR Summit ticket to invite someone ("my guest"). So I'd like to pass this on to someone who deserves it and otherwise couldn't attend the Summit.

So if you would really like to attend the DFIR Summit (to see my talk) and your employer is not paying for it and you can't afford the $1995 then you should enter the contest or raffle or what should I call it. Also, if you are going to the summit, but a colleague can't go, you can refer them here as well.

There are some requirements to qualify:

You need to be able to attend the Summit on July 9 and 10 in Austin TX. You need to pay for travel and hotel room yourself.

And this requirement from SANS directly:

"The only requirements are that your guest be recommended by you personally, and your guest must reserve his/her own room at the event hotel.  (Note: This special offer applies only to NEW hotel reservations, not existing ones.)"

An Omni hotel reservation must be made before July 1st !

Additionally, use the comment form from this post to apply for the free ticket before Saturday morning and give me the best reason why you deserve it... (any or all of the follwing)

  • give your full name, twitter handle, blog URL or whatever to show your identity
  • list contributions to or collaborations with the DFIR (or IT-sec in general) community with examples
  • list any other good reason you can think of
  • how many adult beverages you're gonna buy me at the summit ;-)

If you want to share some information only with me and not publically, please clearly state (which part) in your comment, since they are moderated.

I will decide on Saturday evening (10 pm UTC+2) who will get the spot and notify them. Hotel booking would need to be done on Sunday.

I just like to give someone a chance to attend the DFIR Summit who otherwise could not.

So please spread the word and may the best (most deserving) person win the free ticket!



Thursday, May 30, 2013

"Ponmocup Hunter" SANS DFIR Summit 2013

Update: the presentation slides have been online for a while [PDF Link].
I've given a newer version of this talk at DeepSec and BotConf. Slides will be linked when made public.

I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. (Summit / Agenda).

In early 2011 we discovered some botnet malware infected systems in our network. Starting from one A/V event we discovered several host- and network-based indicators to identify and confirm several infections. A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for. With a one-strike remediation all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered A/V. The malware got some visibility and media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True". This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably didn't happen to all infected hosts or networks.
You'll learn:
  • how the malware was discovered, what indicators were derived
  • how all infected hosts were identified and how remediation was done
  • how this malware spreads and how to defend against it
  • how to detect infected systems (host & network indicators)
  • how to find infected web servers used to spread it
  • what malware functionalities are known and currently still unknown

If you can attend the DFIR Summit and haven't registered yet, you can use the discount code "Swiss10" to get 10% off.

In the mean time, if you're not familiar with the Ponmocup Malware yet, you can read my previous posts:

There are some more "Threat Intelligence" feeds available, beside the ones that have previously been listed:

Lists of Malware Domains and IPs (pre- and post-infection) [CIF usable]

Now there's also a list for:
Malware redirection servers and .htaccess infected web servers [CIF]

Ponmocup-Finder output:
Currently infected websites (redirecting to Malware downloads)
History of all infected websites (first and last seen)

For more details you can follow me on Twitter (@c_APT_ure) or look for #Ponmocup tweets.

If you would like to get involved with analyzing or fighting this Malware / Botnet please get in touch with me.