For over two and a half years now, since March 2011, I've been researching and analysing this Ponmocup malware, which has so many different names. During this time I've written several blog posts, malware analyses [1, 2], a "Ponmocup Finder" tool and published (CIF) feeds of malware domains.
- "Ponmocup Hunter" SANS DFIR Summit 2013
- History of Ponmocup Malware / Botnet
- Introducing Ponmocup-Finder
- Hunting Ponmocup Botnet
- Ponmocup, lots changed, but not all
- Not APT, but nasty malware (Ponmocup botnet)
This year I have given three presentations called "My name is Hunter, Ponmocup Hunter", and each talk was different in some ways. To get the most out of all you may want to view the slides in chronological order, or you can just skip to the latest and most complete one from BotConf (although previous ones had more details about certain things).
- SANS DFIR Summit, Austin Texas, July 2013 (PDF slides, alt. link)
- DeepSec conference, Vienna Austria, November 2013 (PDF slides, alt. link)
- BotConf conference, Nantes France, December 2013 (PDF slides, video maybe soon)
The BotConf talk was video recorded and hopefully soon I will be able to review the video and decide if I want to release it or not. (Tweet me if you would like to see it for sure)
I recieved some very nice feedback after every presentation, here one of my favorite one:
My public work is done (at least for a while, who knows), but the fight against this botnet has just begun. If you have first hand knowledge about this malware (most commonly known probably as Vundo) please ask to join the Ponmocup Botnet Working Group which has been formed for this reason.
Update 2013-12-29:
There have been some great blog posts about the delivery of Ponmocup called Zuponcic Kit:
- Zuponcic: "Is it a bird?... Is it a plane?... No, it's another Exploit Kit" (Part 1)
- Zuponcic: "Is it a bird?... Is it a plane?... No, it's another... wait, what!?" (Part 2)
- Not quite the average exploit kit: Zuponcic < Must Read !
by Maarten van Dantzig, Yonathan Klijnsma & Barry Weymes (Fox-IT)
In February at SAS2013 Eugene Aseev from Kaspersky Labs presented "The Hidden Bot", which also highlights the fact, that this malware / botnet is not well known and researched (yet). Unfortunately, the PDF doesn't show all details from the presentation, so if you would like the full-featured PPT version, please contact Eugene or me.
This post is a work in progress mostly just to link to my presentations and I will update it for a while, when new details become available.
Update 2014-01-30:
The video recorded from my latest "Ponmocup Hunter" talk at BotConf has been made publically available. Thanks to Frederic (@udgover) for the hard work put into making the video.
Just a couple warnings before linking to the video:
1) I don't consider myself a great nor experienced speaker. I was still very nervous for every talk, but during the talk it got better.
2) I had a very hoarse voice during my BotConf presentation because I was talking too much and too loud the night before with many great speakers and attendees at the dinner event.
So hopefully you keep this in mind when watching the video and can see past it. I was giving the talk because I wanted to make more people aware of this botnet, and looking at the activity in my working group I think I succeeded with that.
So without further ado, I hope you like the video !
Also check out the other BotConf videos available.
I also like this picture from my talk at DeepSec :-)
Cheers,
@c_APT_ure