I've given a newer version of this talk at DeepSec and BotConf. Slides will be linked when made public.
I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. (Summit / Agenda).
Abstract:
In early 2011 we discovered some botnet malware infected systems in our network. Starting from one A/V event we discovered several host- and network-based indicators to identify and confirm several infections. A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for. With a one-strike remediation all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered A/V. The malware got some visibility and media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True". This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably didn't happen to all infected hosts or networks.
You'll learn:
- how the malware was discovered, what indicators were derived
- how all infected hosts were identified and how remediation was done
- how this malware spreads and how to defend against it
- how to detect infected systems (host & network indicators)
- how to find infected web servers used to spread it
- what malware functionalities are known and currently still unknown
If you can attend the DFIR Summit and haven't registered yet, you can use the discount code "Swiss10" to get 10% off.
In the mean time, if you're not familiar with the Ponmocup Malware yet, you can read my previous posts:
- History of Ponmocup Malware / Botnet
- Introducing Ponmocup-Finder
- Hunting Ponmocup Botnet
- Ponmocup, lots changed, but not all
- Not APT, but nasty malware (Ponmocup botnet)
There are some more "Threat Intelligence" feeds available, beside the ones that have previously been listed:
Lists of Malware Domains and IPs (pre- and post-infection) [CIF usable]
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt
Now there's also a list for:
Malware redirection servers and .htaccess infected web servers [CIF]
Ponmocup-Finder output:
Currently infected websites (redirecting to Malware downloads)
History of all infected websites (first and last seen)
For more details you can follow me on Twitter (@c_APT_ure) or look for #Ponmocup tweets.
If you would like to get involved with analyzing or fighting this Malware / Botnet please get in touch with me.
Cheers,
@c_APT_ure
