This page is dedicated to provide a collection of links and details about the Ponmocup malware / botnet.
We've discovered several infected hosts and have malware samples, memory dumps (Memorize), C&C traffic details available upon request.

Please send comments and questions to:  toms.security.stuff -at- gmail.com

>>> You can also follow me on Twitter: @c_APT_ure or read my Blog <<<

Work in progress... (created on 2011-05-30 / updated: 2012-02-20)


history of Ponmocup botnet domains (added: 2012-02-20) history by domains/IP and by date seen accessed more complete list of domains/IPs from different sources
new OSINT research for malware reports (added: 2012-02-18) Finding online analysis reports by googling for indicators
brand new C2 research is available (added: 2011-11-28) Please read this first Here you find the new C2 domains, IPs, URL-patterns and User-Agents You can browse all files here
Here's a list of (previously or still) infected domains and Ponmocup redirection malware domains and IP's Inquiry If you see hits on Snort ET rules like "ET CURRENT_EVENTS Ponmocup C2 ...", please let me know of currently used C2 domains. Thanks! Update 2011-10-22: Thanks Jason for submitting new infection and C2 domains (4 each). The domains have been added to this list: malicious domains / IPs Update 2011-11-23: I've analyzed a memory dump with Mandiant's Redline and extracted two malware proc's with Memoryze. Redline --> Screenshots of Redline analysis Memoryze --> Overview of extracted proc's files Never mind, I was misled by the Redline analysis and started hunting ghosts :-( This seems to be legit HP software (drivers): Service NetDriver HPZ12 and PmlDriver HPZ12 http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/97e12f87-fc66-4a9e-8a84-02a35b1a6dd4/ So let's start again from known bad! Update 2011-11-23: I've analyzed and extracted the malware with Memoryze and Audit Viewer. Audit Viewer --> Screenshots of Audit Viewer analysis Memoryze --> Overview of extracted proc files Please mail me for the link to download the Memoryze / Audit Viewer exported files (toms.security.stuff -at- gmail.com)
Identification Host: - random named registry keys (under HKLM\Software / HKCU\Software) - modified hosts file Network: - web requests to C2 domains / IPs: (ET snort rules) - URL-patterns: (proxy log analysis) - faked user-agent: (ET snort rules)
General links Dynamoo's Blog: virtualmapping.org redirect How big is the Ponmocup botnet? www.abuse.ch blog: How Big is Big? Some Botnet Statistics Infection through hacked web servers: website hacked with extra .htaccess in all folders and ROOT folder?? >>> Have you checked your logs for access to these malicious domains / IPs yet? <<< infernomag.com / gtracking.org nastiness Bot Network classification inquiry SOPHOS: Mal/Ponmocup-A (detailed analysis of 3 samples) Malware samples MD5: 820ed1d99e2b771d915e033450fa0b0f bd291073fc2cb39456886d091a5ee85c 593af63840f11883610ba95d6744c4b1 The above analysis shows that binary code is also stored in different registry keys. We were also able to extract such registry "blobs" from infected hosts, some keys lager than 100 KB. This could be (encrypted) malware components. (?) SOPHOS: Troj/Mdrop-CLC ThreatExpert analysis (also shows registry entries) Microsoft MPC: TrojanDownloader:Win32/Ponmocup.A Troublesome Trojan Trammels Torrent Sites (from 2010/11/24 !) The Pirate Bay and Mininova Blocked by Mysterious New Trojan New Trojan Blocks Access To Bittorrent Websites: Webroot Media Site Pimping Malware TrendMicro: TSPY_PIRMINAY.A
C&C traffic details Infection step: (precondition: "normal" User-Agent, i.e. IE and Referrer header from a search engine) URL-pattern: /cgi-bin/r.cgi?p=...&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} Domain / IP: many domains / IP's of infected servers! * NEW * List of infected- and malware-hosting domains / IPs: HTML / TXT (updated: 2011-06-22) * NEW * Samples of infector downloads: 2011-05-12 / 2011-06-30 / 2011-07-19 / 2011-07-21 / 2011-08-03 * NEW * Online analysis of latest infector samples: Anubis / ThreatExpert (2011-07-19) * NEW * Online analysis of latest infector samples: Anubis / ThreatExpert (2011-07-21) URL-pattern: /se/...[long hex string].../...[7-8-char hex string].../<search_query_words>.com Domain / IP: subdomain.therealityglove.com / 95.168.177.142 (where subdomain is often one word followed by one number, <search_query_words> are the search words from the search engine) After executing the downloaded .COM-file infector: URL-pattern: /html/license_43EC922...[long hex string].html Domain / IP: surfacechicago.net / 78.159.100.32, checkwebspeed.net / 95.211.8.196 Assumed "phone home", get commands, send stolen data, download further malware... (?) URL-pattern: /images2/BD35...[long hex string].swf Domain / IP: 94.75.234.107, 85.17.139.239, marksandco.net / 94.75.234.98, omniwebpro.org / 94.75.201.35, URL-pattern: /cgi-bin/shopping3.cgi ?a=[long hex string] (request to some other domain with large download -- malware update?) /cgi-bin/unshopping3.cgi ?b=[long hex string] Domain / IP: amegatech.net / 94.75.234.98 URL-pattern: /cgi-bin/rokfeller3.cgi ?v=11 (with long hex string in POST body -- some sample data available) Domain / IP: intermediacorp.org / 85.17.188.195 Here is a list of domains & IPs identified for C2 traffic: omniwebpro.org 94.75.201.35 (first used 2011-03-18) 85.17.139.239 85.17.139.239 (first used 2011-03-17) rapidstream.biz 85.17.139.238 (first used 2011-03-15) intermediacorp.org 85.17.188.195 (first used 2011-03-14) 94.75.201.36 94.75.201.36 (first used 2011-03-11) amegatech.net 94.75.234.98 (first used 2011-03-04) marksandco.net 94.75.234.98 (used from 2010-02-26 to 2011-03-03) inetspeedup.com 94.75.234.98 (first used 2011-02-17) 94.75.234.107 94.75.234.107 (first used 2011-02-12) Domains / IPs used from 2010-02-24 to 2011-02-11 amegatech.net 174.36.82.151 (first used 2011-02-06) inetspeedup.com 174.36.82.151 (first used 2011-01-19) marksandco.net 174.36.82.151 (first used 2010-03-07) 174.36.82.151 174.36.82.151 (first used 2010-03-01) mtuconnectwall.org 174.36.82.151 (used from 2010-02-24 to 2010-10-27) >>> List of malicious domains / IPs <<<
Snort rules Ponmocup related ET snort rules http://rules.emergingthreats.net/open-nogpl/suricata/rules/ emerging-trojan.rules & emerging-current_events.rules: [pre infection] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013181; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Ponmocup Driveby Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/se/"; nocase; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ui"; classtype:bad-unknown; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; sid:2013312; rev:2;) [post infection] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; uricontent:"/images2/"; nocase; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/U"; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012799; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; uricontent:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012800; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/cgi-bin/shopping3.cgi?a="; nocase; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013179; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; uricontent:"/cgi-bin/unshopping3.cgi?b="; nocase; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013180; rev:6;) emerging-user_agents.rules: [post infection] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012801; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 8.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; classtype:trojan-activity; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; sid:2012802; rev:3;)
Malware samples The following 3 samples were extracted from infected hosts: ced3103e366d2eeac145639b080b3426 HPZipm12L.dll (VT results 33 / 43) dfe859eda8d9ed88863896ac233b17a9 crtdllo.dll (VT results 16 / 42) 04366dfaa4a7d32066fa6dcda14c9e94 ole32H.dll (VT results 12 / 42) Update: 2011-06-22 current VT detections from 2011-06-22 list fo signature names from AV's
written with the most powerful HTML editor --> vi ;-)