Monday, September 10, 2012

DeepINTEL 2012

The first DeepINTEL conference is over and it was great with a fairly small crowd, where you got to meet and talk to everyone.

Andrew Barrat, who was giving a talk about "Better Breach Disclosure = Better Risk Management?" wrote a couple of blog posts about other talks (day 1, day 2).

So for those who couldn't attend DeepINTEL, here's a high level overview of the topics, concepts and resources I gave in my talk, which was tittled "Preventing and Detecting Mass-Malware and Advanced Threats".

Here's the abstract that was given for CFP:

Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organizations who got breached had all that too. So maybe that’s not enough for today’s threats any more? This speech should give you lots of new intelligence resources to know who are the different threat actors, what are their motivations and techniques, what vulnerabilities are exploited by what threat actors, and some (maybe more or less unconventional) methods for prevention or detection of these threats. Most resources used are freely available, some need free registration and some are from personal work experience.

As a brief introduction to what I think is missing, I introduced the Security event System (SES) and Collective Intelligence Framework (CIF) project from REN-ISAC.

The introduction about me and why I like to share malware and threat intelligence contained references to SANS ISC blog diaries (1, 2, 3), Mila's contagio malware dump blog post and a couple posts on Kyle's threatthoughts blog about sharing indicators, that were based on information I collected and provided to them. Another example is the discovery and analysis of the Ponmocup botnet on abuse.ch blog, where I shared a list of C&C domains for sinkholing.
This first part of the talk was also meant to show the limitations of antivirus, because lots of malware samples I discovered had zero or very low (less than 10%) initial detection rates (out of 42 AV scanners on VirusTotal), which I consider pretty bad.

Next I introduced some terms and concepts like "cyberrisk intelligence", "actionable intelligence" and "cyber-risk data" from the SBIC report Getting Ahead of Andanced Threats.
This report contains several "charts" (though I'd call it more tables) of such cyber-risk data along with examples. The first table about "cyber attack indicators" gives interesting examples like "description of spear phishing mails", "lists of domains hosting malware" and "set of binaries used by attackers" (which for example could be file hashes like MD5 etc).

Then I used two quotes from Richard Beitlich's posts on Mandiant's M-unition blog, which I like.
In a post about "understanding each type of targeted attacker" he says:
"When trying to defend an organization, it’s imperative to understand the nature of the threats who seek to compromise the enterprise. This is not a common belief, unfortunately."
In another post about "understanding state-serving adversaries" he wrote:
"A hallmark of a disciplined adversary, however, is to only use the level of “force” required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of "advanced," because it means the adversary knows how to properly deploy resources against a target."

Elaborating on the different types of threat actors I used resources from Mandiant's M-trends 2012 report, SANS Cyber Attack Threat Map (page 2 from 20 Critical Security Controls poster 2010 -- not found online anymore), and Dell SecureWorks Advanced Threat Resource Center.
The presentation "Why Are Our Defenses Failing Us? One Click Is All It Takes" from Bryce Galbraith gives a very detailed and technical analysis, how little it takes to get breached.

To give some examples and history of APT attacks I used the paper "Advanced Persistent Threats: A Decade in Review" from Command5 and the hackmaggedon.com site about "Cyber Attacks Timeline".
The next point I was trying to make is the importance of knowing what exploits are being used by what threat actors. An overview of exploits kits (also called browser exploit packs / BEP) has been updated frequently on Mila's contagio malware dump blog. This blog is also great to find out what exploits (see categories / labels) are used and find malicious document samples from targeted attacks.

Another great resource giving details about what exploits are used for APT attacks is a blog post from Xecure Lab. Also from this company is XecScan, an online scan service for spear phishing document analysis. It's also a great OSINT source for indicators (MD5 hashes, C&C domains / IPs etc.) of APT spear phishing documents.

The next topic was "the need for analysis in Intelligence-Drive Defense" from the Windows-IR blog which gives a nice summary of Dan Guido's paper "A case study of intelligence driven defense" and the Exploit Intelligence Project (EIP).

The paper "Intelligence Driven CND Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" introduces the "intrusion kill chain" and "kill chain phases" along with the definition of "late phase detection" (C2) versus "early phase detection" (delivery).

So what's the relevance of all this? What do I make of it?

Well, patching and updating all software, especially OS, browser and all browser plugins (Java, Flash, Adobe Reader etc.) should be a very high priority. But some software, like Java with all its dependencies, are hard(er) to be patched very timely in some enterprises.

So here are some suggestions for additional mass-malware prevention on a web proxy:
  • implement a Java whitelist, allowing Java from trusted domains only (user-agent based)
  • limit executable downloads (magic bytes) to trusted domains (or categories if available)
  • block all malicious IPs, IP ranges, 1st level domains (esp. dyndns) as possible and business allows (start using CIF with many feeds)

And additional protection for a mail gateway:
  • block or strip all executable (magic bytes) attachments, also inside ZIP or RAR files
  • keep mail logs of A/V events (with context) for a long period

Detecting a series of targeted attacks:

Knowing what exploits (CVE's) have been used for targeted attacks I spotted a single A/V event (containing "CVE-2011-0611" SWF exploit) from a PDF email attachment amongst hundreds other mass-malware events. Now knowing the targeted person I found previous attack mails using CVE-2009-3129 inside a XLS and an unknown exploit inside a PDF with JavaScript. Monitoring the mails of the targeted person I found a IMG-SRC in an HTML mail without attachments. The URL was using a domain hosted on the same IP that was used for C2 of the previous PDF/SWF exploit and contained the target's email address in it. The attack series continued with a number of DOC attachments with CVE-2012-0158 exploits, some of which were very similar to the ones described on this Securelist blog.

The above are of course just some examples of additional prevention and detection measures you can put in place.

Some other projects, collaboration groups and tools you may want to look at are:

Feedback is always welcome!

Cheers,
@c_APT_ure

Monday, July 2, 2012

Intelligence-driven Security

Is "Intelligence-driven security" the next big thing?

In my first blog post I put a link to Deloitte's paper "Cyber crime: a clear and present danger -- Combating the fastest growing cyber security threat". Just recently I looked over it again and stopped at page 12: "Developing “actionable” cyber threat intelligence" and "Cyber Threat Intelligence Collection Research, and Analysis Process" -- a great picture. That's an old paper.

I really like the recent "Getting ahead of Advanced Threats" report from Security for Business Innovation Council (sponsored by RSA).

Report PDF: Getting Ahead of Advanced Threats

Youtube video: Getting Ahead of Advanced Threats: Achieving Intelligence-driven Security

Blog series about Deconstructing SBIC's "Getting Ahead of Advanced Threats" Report:

  1. Information vs Intelligence
  2. The Importance of the Extended Enterprise
  3. Intelligence-Driven Information Security
  4. Building Sources
  5. Taking Action
  6. A Day In The Life Fighting Cybercrime
As I have mentioned in a previous post, something to really look out for is the Collective Intelligence Framework (CIF). Take a look at the Community examples and maybe even the Avenger Project.

I heard a rumor that CIF will be covered this month in Russ McRee's toolsmith, which is always a great resource, too.

If you know other good resources alike please let me know.

Thanks for reading...

@c_APT_ure

Wednesday, June 27, 2012

History of Ponmocup Malware / Botnet

This is a history of some events and publications about the Ponmocup malware or botnet.
(work in progress -- will get updated eventually)

There are many aliases from different A/V vendors as previously mentioned on my blog
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo, Monder, Virtumonde/Virtumondo etc.).
The most often used lately is "Trojan Milicenso" by Symantec, which has a good blog post and detection description about it..
And it's been around at least since 2009, not just 2010 as mentioned in several places.

Update 2012-08-13: there have been some more related posts published since my original post

2012-07-02: Symantec blog "Printer Madness: W32.Printlove Video"

2012-06-25: ComputerWorld article "Malware infection forces printers to print garbled data"
2012-06-25: ITWorld "Printer malware – Wingdings gone wild"

2012-06-23: The Hacker News "Trojan.Milicenso - Printer Trojan cause massive printing"

2012-06-22: ZDNet "Thousands of office printers hit by 'gibberish' malware"
2012-06-22: Bloomberg Tech Blog "When Hackers Fumble: ‘Printer Bomb’ Noisily Announces Attack"
2012-06-22: NET-Security "Trojan infection triggers massive printing jobs"

2012-06-21: ARStechnica "Printer bomb malware wastes reams of paper, sparks pandemonium"
2012-06-21: SANS ISC diary "Print Bomb? (Take 2)"
2012-06-21: Symantec blog "Trojan.Milicenso: A Paper Salesman’s Dream Come True"

2012-06-14: Symantec KB article "Malware is causing network printers to print random ASCII characters"

2012-06-13: Mcafee Threat Advisory "Vundo"

2012-06-08: SANS ISC diary "Print Bomb?" (see also comments)
2012-06-08: Symantec forum thread "Print server gone wild"

2012-06-07: McAfee community forum thread "Printer Virus?"

2012-06-03: c-APT-ure blog post "Introducing Ponmocup-Finder"

2012-05-16: Sophos detection "Troj/Ponmocup-F"

2012-04-27: c-APT-ure blog post "Hunting Ponmocup Botnet"

2012-04-13: Collection of my tweets on Storify "A/V failed for Ponmocup malware!?"

2012-04-08: IOC on ForensicArtifacts.com "Ponmocup IOC released"

2012-03-08: c-APT-ure blog post "Ponmocup, lots changed, but not all"

2012-02-20: Ponmocup analysis page created "Why so many diff A/V detections?"

2012-02-18: c-APT-ure blog post "Not APT, but nasty malware (Ponmocup botnet)"

2011-11-15: Mandiant forum thread started "IOC request for Ponmocup malware (botnet)"

2011-05-30: created web page "Collection of links related to the Ponmocup botnet"

2011-05-23: Abuse.ch blog "How Big is Big? Some Botnet Statistics"

2011-04-22: TrendMicro detection "TSPY_PIRMINAY.A"

2011-04-21: Malware Survival "Media Site Pimping Malware"

2011-04-20: Sophos detection "Mal/Ponmocup-A" (detailed analysis of 3 samples)

2010-12-06: SPAMfighter news: "New Trojan Blocks Access To Bittorrent Websites: Webroot"

2010-11-25: Softpedia news "The Pirate Bay and Mininova Blocked by Mysterious New Trojan"

2010-11-24: Webroot blog "Troublesome Trojan Trammels Torrent Sites"

2010-07-14: Symantec detection created "Trojan.Milicenso"

2010-06-04: Microsoft MPC Encyclopedia entry "TrojanDownloader:Win32/Ponmocup.A"

2010-03-19: Sophos detection "Troj/Mdrop-CLC"

2009-12-30: Microsoft MPC Detection initially created "TrojanDropper:Win32/Ponmocup.A"

2009-11-22: Microsoft MPC Detection initially created "TrojanDownloader:Win32/Ponmocup.A"

Please report any broken (or obviously wrong) links, thanks.

Feedback and questions are welcome!

@c_APT_ure

Sunday, June 3, 2012

Introducing Ponmocup-Finder

Update 2013-06-01:
Please also read my newer blog posts about Ponmocup:
Ponmocup-Finder has evolved in a little "workflow" :-)
  1. add new infected domains to the list
  2. daily cronjob to run Ponmocup-Finder
  3. latest Ponmocup-Finder script
  4. list of currently infected webservers
  5. history of all previously infected webservers
  6. notification lists for CH / LI and DE domains
If you can do notifications for any infected webservers, go ahead and feel free to let me know.

It would be great to see some search engines (like Google, MS Bing etc.) to add checks for these infections to their spiders (need to change user-agents just for one request per site), since infections happen only through search engine redirects.

Update 2012-10-18:
Finally I updated the ponmocup-finder script as promised. I also managed to download a new infector and analyze the malware in a VM. You can also just look at some screenshots of the analysis.
And lastly here are some network indicators of C2:

  intohave.com / 64.179.44.188  (DNS request only)
  88.216.164.117

For more malicious domains and IPs you can download my malware feeds (also using CIF) here:

http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt



Update 2012-09-25:
The Ponmocup finder script needs some update / tweeking, since the redirection URL patterns changed massively again (samples). Instead of just checking for the two previously known URL patterns ("/url\?sa=|/cgi-bin/r.cgi\?p=") it should check if the infected website domain appears in the URI parameters of the redirection URL. I will update the script on this post as soon as I find time.

You may have recently read a lot of hype about Flame or SkyWiper "cyber weapon", the son (or big brother) of Stuxnet and Duqu, which was found on a few thousand systems in a limited number of countries for espionage. Interesting and somewhat impressive, but this post is not about any of this stuff.

The Ponmocup malware and botnet is something totally different. A year ago the botnet was several million bots big (at least 4 million IPs, maybe a multiple thereof number of bots) [1]. And it does not target or discriminate against any specific country, so chances are likely bigger that you may find one of these bots in your network than a Flame infection.
Please read my previous three posts about Ponmocup to get an idea of what it is and how it works.


[1] Not APT, but nasty malware (Ponmocup botnet)
[2] Ponmocup, lots changed, but not all
[3] Hunting Ponmocup Botnet

Just to clarify something first, this post is more about detecting hacked or infected web servers redirecting unsuspecting visitors to malware downloads than about detecting infected bots themself. For the latter see my request to researchers to find current C&C domains in [3].

I don't know of any service including all 32 from urlvoid.com that detects these infected web servers.

So I threw together this little shell script that takes a list of domains and checks each domain with a single request if it's infected and redirecting visitors to Ponmocup malware (see [2]).

This script is aimed at registrars, ISPs, web hosters, GovCERTs, malware researchers, botnet hunters, or generally anyone who wants to find (and hopefully report) infected web servers and who has access to a large number of domains.

$ cat ponmocup-finder.sh
#!/bin/bash
echo "date started: `date`"
cat $1 | \
while read domain; do
  echo -ne "checking domain: $domain --> ";
  wget -Sv --tries=1 --connect-timeout=5 \
    --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" \
    --referer="http://www.google.ch/search?q=ponmocup+check" \
    http://${domain}/ -O ${domain}.out > ${domain}_wget.log 2>&1
  redir=`egrep -m 1 "Location: " ${domain}_wget.log`
## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l`
  match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l`
  if [ $match -gt 0 ]
  then
    echo -ne "seems to be INFECTED: "
    echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1`
    egrep -m 2 "Resolving " ${domain}_wget.log | tail -1 | sed -e 's/Resolving/ --> DNS:/g'
  else
    echo "seems to be CLEAN"
  fi
done
echo "date finished: `date`"


Now let's run this script with a list of 88 domains (known to have been previously infected)

$ ./ponmocup-finder.sh domains-1.txt | tee ponmocup-finder_domains-1.log
checking domain: aviationhumor.net --> seems to be INFECTED: http://philosophymercer.com/cgi-bin/r.cgi --> DNS: philosophymercer.com... 62.212.74.228
checking domain: bgs-architekten.com --> seems to be INFECTED: http://capitalinformer.com/cgi-bin/r.cgi --> DNS: capitalinformer.com... 82.98.86.165

...
checking domain: www.w-en-ve.nl --> seems to be INFECTED: http://reportedtechniques.org/cgi-bin/r.cgi --> DNS: reportedtechniques.org... 208.91.197.108

How long did it take to check these 88 domains?  About 160 seconds

$ egrep "date " ponmocup-finder_domains-1.log
date started: Sat Jun  2 18:33:08 CEST 2012
date finished: Sat Jun  2 18:35:48 CEST 2012


Let's separate the clean and infected domains and do some stats:

$ egrep CLEAN ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_CLEAN.log
$ egrep INFECTED ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_INFECTED.log
$ wc -l ponmocup-finder_domains-1_*.log
   36 ponmocup-finder_domains-1_CLEAN.log
   52 ponmocup-finder_domains-1_INFECTED.log
   88 total

Let's look at the malware domains and IPs: (these are not C&C domains of infected clients)

Important note: some of the older, inactive domains appear to have been grabbed by some domain parking services. Thus not all domains and IPs below are used for malware distribution. I need to separate the good from the bad and ugly (later).

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2" "$1 }' | sort | uniq -c
      1 176.53.112.108 ceprez.recycling-computers-portland.com...
      1 178.211.33.202 49847.hotel-sarajevo.com...
      1 178.211.33.202 lerberg.belanyi.com...
      1 178.211.33.203 38831.learn2drive4free.com...
      1 178.211.33.203 45215.thomasyohannan.com...
      1 178.211.33.203 46722.azangelfish.com...
      1 178.211.33.205 vamped.wonderfulroofing.com...
      3 199.59.241.218 herocopter.com...
      3 199.59.241.218 indanetwall.net...
      1 199.59.241.218 infernomag.com...
      2 208.91.197.108 reportedtechniques.org...
      2 217.11.251.173 underbuild.net...
      6 62.212.74.224 lewisentitled.com...
      2 62.212.74.228 philosophymercer.com...
      1 69.43.161.177 trialworld.net...
      1 77.79.11.96 45531.3d-tablet.cc...
      1 77.79.11.96 45585.3d-tablet.cc...
      2 82.98.86.165 capitalinformer.com...
      1 8.5.1.34 jesusonlynet.org...
      1 91.207.4.51 41950.thepetserver.com...
      1 91.207.4.51 52984.pballgames.com...
      1 94.63.149.247 handsexual.com...
      1 failed: 35803.finishline-fitness.co.uk...
      1 failed: 43560.vicandbarbs.net...
      1 failed: apartliberal.com...
      4 failed: besidesdream.com...
      2 failed: costslaid.com...
      3 failed: dutytraditional.net...
      1 failed: earlyanswered.com...
      1 failed: interestingchapter.net...
      1 failed: thousandmilitary.com...
      1 failed: twiceseparate.com...
      1 failed: watchingsquare.com...

And here are just the IPs:

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2 }' | sort | uniq -c
      1 176.53.112.108
      2 178.211.33.202
      3 178.211.33.203
      1 178.211.33.205
      7 199.59.241.218
      2 208.91.197.108
      2 217.11.251.173
      6 62.212.74.224
      2 62.212.74.228
      1 69.43.161.177
      2 77.79.11.96
      2 82.98.86.165
      1 8.5.1.34
      2 91.207.4.51
      1 94.63.149.247
     17 failed:

And here's a list of all malware domains and IPs discovered: (numeric only subdomains replaced with "*")

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2"\n"$1 }' | sed -e 's/[0-9][0-9][0-9][0-9][0-9]/\*/g' | sed -e 's/\.\.\.//g' | sort | uniq | egrep -v failed
176.53.112.108
178.211.33.202
178.211.33.203
178.211.33.205
199.59.241.218
208.91.197.108
217.11.251.173
62.212.74.224
62.212.74.228
69.43.161.177
77.79.11.96
82.98.86.165
8.5.1.34
91.207.4.51
94.63.149.247
*.3d-tablet.cc
apartliberal.com
*.azangelfish.com
besidesdream.com
capitalinformer.com
ceprez.recycling-computers-portland.com
costslaid.com
dutytraditional.net
earlyanswered.com
*.finishline-fitness.co.uk
handsexual.com
herocopter.com
*.hotel-sarajevo.com
indanetwall.net
infernomag.com
interestingchapter.net
jesusonlynet.org
*.learn2drive4free.com
lerberg.belanyi.com
lewisentitled.com
*.pballgames.com
philosophymercer.com
reportedtechniques.org
*.thepetserver.com
*.thomasyohannan.com
thousandmilitary.com
trialworld.net
twiceseparate.com
underbuild.net
vamped.wonderfulroofing.com
*.vicandbarbs.net
watchingsquare.com

And here's the list of infected domains (servers with malicious .htaccess file)


$ cat ponmocup-finder_domains-1_INFECTED.log | awk '{ print $3 }' | sort | uniq
aviationhumor.net
bgs-architekten.com
cryptonaux.co.uk
europschool.net
flowerbouquetsforweddings.com
hellokittyfighters.de
insurancepersonalpropertyassessments.com
pippatoledoshop.com
rabita-ms.ch
schoenstefaschingskostueme.com
www.apollonreisen.com
www.armsnetafrica.org
www.artistas-americanos.com
www.autocamp-nordsee.com
www.aylar.no
www.babfinance.net
www.canadawideflowers.ca
www.chinchillazucht.eu
www.demton.hu
www.dynam-med.info
www.europschool.net
www.extremebusa.com
www.feliceapicella.it
www.ferienwohnung-hotels-kroatien.de
www.flowerbouquetsforweddings.com
www.football-session.com
www.forexonlinegeheimnisse.com
www.guatemala-tourisme.info
www.hexenkostueme.com
www.hillsidebeachclub.com
www.hotelanderoper.com
www.hypequest.com
www.jenniferhejna.com
www.krcgent.be
www.lotex24.net
www.lotusnaturalspa.ch
www.moebel-direkt.net
www.oceanview-house.com
www.pr-klartext.de
www.ps3-fifaliga.de
www.radiofreecuba.com
www.smelugano2.ch
www.stadtbredimus.lu
www.stublla.net
www.sudani.co.za
www.swisshelp.info
www.thehighheelstore.com
www.theleesonhotel.com
www.titan.vc
www.vdomil.com
www.voegelitherapie.com
www.w-en-ve.nl

I'd be curious to know what percentage (or ppm) of any list of domains would be infected. Anyone wants to take a guess?


Monday, May 14, 2012

Threat Intelligence and APT Resources

This post is to share some of the resources I found interesting and useful recently. In addition I would like to thank my friends who interacted with me in the past and also work hard to fight cybercrime and Internet threats in general.

(in random order)

Thanks to Mila from contagio dump blog for linking to my blog from your APT page, which I also recommend reading. Also very useful is the list of browser exploit packs and all the great analysis of targeted attacks.

Thanks Keith for mentioning my tweets on your blog (Thanks for Sharing and Indicators) and for the great work in posting IOCs.

Thanks Kyle for mentions on your blog post Introduction to the Collective Intelligence Framework. I definitely recommend checking out CIF.

Thanks Mandiant for all your free tools (Redline, IOC-Finder etc.), great resources (M-unition blog, webinars) and interesting M-Trends reports.

Thanks Securosis for all the great free resources (Malware Analysis Quant etc.) and research papers published.

Thanks Command-Five for great research papers and C5 SIGMA free network analysis tool.
Command and Control in the Fifth Domain

Here are some blog posts about APT that I can recommend reading:

Eric Huber's blog post To APT or Not To APT?

Mike Cloppert's blog series on SANS computer forensics
Security Intelligence: Introduction (pt 1)
Security Intelligence: Introduction (pt 2)
Security Intelligence: Attacking the Kill Chain
Security Intelligence: Defining APT Campaigns

Update 2012-05-25: here are some more interesting papers that I enjoyed.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [PDF]

Detecting Targeted Malicious Email through Supervised Classification of Persistent Threat and Recipient Oriented Features (Dissertation by Rohan Mahesh Amin, 2011)

Crouching Tiger, Hidden Dragon, Stolen Data [PDF]

Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage [PR]

The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure


So how do you share your threat intelligence with others and how / where do you find it online?

I've been tweeting some indicators in the past and collected some of these tweets on storify "malware intelligence". I've also created IOCs for Ponmocup and other malware (Zeus, debugger persistence and more) and posted them on Mandiant's forums and ioc.forensicartifacts.com.

I will update this post eventually with new, more recent resources and infos available.

If you find this blog useful consider linking to it from your blog (what, you don't have one!? Why not?) or tweet about it.

If you know other useful blogs or resources not mentioned here (or on my recommended blogs list) please let me know.

Thanks for reading all the way to the end ;-)

Friday, April 27, 2012

Hunting Ponmocup Botnet

Updated 2012-05-31: find new malware domains and IPs at the end of this post



Welcome to my third post about the ponmocup malware / botnet.

I have some more malware intel to share and also some request to other researchers as well.
Following is a list of Ponmocup redirection domains along with the domain of the hacked/infected website and date when it was discovered.

#--------------------------------------------------------------------------
# malware-domain malware-ip infected-website [date] (/cgi-bin/r.cgi)
#--------------------------------------------------------------------------
apartliberal.com - www.canadawideflowers.ca [22/Mar/2012]
apartliberal.com - www.despec.com [23/Jan/2012]
argumenthistorical.org - www.steingym.schulnetz.hamm.de [08/Feb/2012]
argumenthistorical.org - www.steingym.schulnetz.hamm.de [18/Apr/2012]
argumenthistorical.org - www.stv-neuenhof.ch [17/Jan/2012]
besidesdream.com - flowerbouquetsforweddings.com [27/Feb/2012]
besidesdream.com - www.armsnetafrica.org [25/Jan/2012]
besidesdream.com - www.flowerbouquetsforweddings.com [27/Feb/2012]
besidesdream.com - www.hillsidebeachclub.com [29/Mar/2012]
capitalinformer.com - www.hotelanderoper.com [31/Jan/2012]
capitalinformer.com 82.98.86.165 bgs-architekten.com [17/Apr/2012]
checkforsec.com 8.5.1.45 www.artistas-americanos.com [12/Apr/2012]
costslaid.com - halongtours.com [25/Jan/2012]
costslaid.com - halongtours.com [26/Jan/2012]
costslaid.com - www.dynam-med.info [05/Jan/2012]
costslaid.com - www.jenniferhejna.com [09/Feb/2012]
costslaid.com - www.krcgent.be [27/Mar/2012]
dutytraditional.net - riccardoscamarcio.org [07/Feb/2012]
dutytraditional.net - vivadasrestaurant.ch [11/Jan/2012]
dutytraditional.net - www.moebel-direkt.net [16/Jan/2012]
dutytraditional.net - www.moebel-direkt.net [17/Feb/2012]
dutytraditional.net - www.pr-klartext.de [27/Feb/2012]
dutytraditional.net - www.redtoo.com [20/Jan/2012]
dutytraditional.net - www.swisshelp.info [27/Mar/2012]
dutytraditional.net - www.vivadasrestaurant.com [02/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [03/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [09/Jan/2012]
dutytraditional.net - www.vivadasrestaurant.com [11/Jan/2012]
earlyanswered.com - www.vdomil.com [30/Jan/2012]
everybodynames.org 94.63.149.247 www.kreutz-solutions.ch [16/Jan/2012]
formedtouch.com - www.voegelitherapie.com [12/Mar/2012]
gamecomes.org 94.63.149.247 www.ryandarts.de [08/Mar/2012]
handsexual.com 94.63.149.247 www.perfler.ch [10/Feb/2012]
handsexual.com 94.63.149.247 www.theleesonhotel.com [16/Jan/2012]
herocopter.com - www.aylar.no [09/Jan/2012]
herocopter.com - www.titan.vc [12/Jan/2012]
herocopter.com 199.59.241.228 www.stublla.net [23/Apr/2012]
herocopter.com 199.59.241.232 www.guatemala-tourisme.info [27/Mar/2012]
iamprotectedfrom.net - www.newtonvineyard.com [20/Apr/2012]
indanetwall.net - schoenstefaschingskostueme.com [27/Feb/2012]
indanetwall.net 199.59.241.228 www.forexonlinegeheimnisse.com [24/Apr/2012]
indanetwall.net 199.59.241.228 www.hexenkostueme.com [18/Apr/2012]
indanetwall.net 94.63.149.246 www.hexenkostueme.com [12/Jan/2012]
infernomag.com - cryptonaux.co.uk [06/Jan/2012]
infernomag.com - www.samariter-zuerich-uu.ch [24/Jan/2012]
interestingchapter.net - www.hypequest.com [16/Jan/2012]
interestingchapter.net - www.hypequest.com [17/Jan/2012]
interestingchapter.net - www.hypequest.com [21/Mar/2012]
interestingchapter.net - www.hypequest.com [30/Jan/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [13/Mar/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [23/Apr/2012]
jesusonlynet.org 94.63.149.246 www.babfinance.net [29/Mar/2012]
lewisentitled.com 62.212.74.224 www.extremebusa.com [20/Feb/2012]
lewisentitled.com 62.212.74.224 www.feliceapicella.it [16/Jan/2012]
lewisentitled.com 62.212.74.224 www.lotex24.net [02/Apr/2012]
lewisentitled.com 62.212.74.224 www.lotex24.net [03/Apr/2012]
lewisentitled.com 62.212.74.224 www.ps3-fifaliga.de [13/Jan/2012]
lewisentitled.com 62.212.74.224 www.radiofreecuba.com [22/Mar/2012]
lewisentitled.com 62.212.74.224 www.thehighheelstore.com [21/Jan/2012]
metromanias.com - sixstringtheory.com [27/Jan/2012]
metromanias.com - www.boiron.ch [03/Jan/2012]
metromanias.com - www.boiron.ch [14/Jan/2012]
metromanias.com - www.midagiochi.com [26/Jan/2012]
metromanias.com - www.whuckaba.com [25/Jan/2012]
philosophymercer.com 62.212.74.228 aviationhumor.net [20/Apr/2012]
philosophymercer.com 62.212.74.228 dallasbbq.com [03/Jan/2012]
philosophymercer.com 62.212.74.228 www.football-session.com [07/Feb/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [12/Jan/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [19/Apr/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Feb/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [29/Mar/2012]
philosophymercer.com 62.212.74.228 www.greenzer.fr [31/Mar/2012]
reportedtechniques.org 94.63.149.246 mjmbooks.com [23/Feb/2012]
reportedtechniques.org 94.63.149.246 online-aste.com [13/Mar/2012]
reportedtechniques.org 94.63.149.246 online-aste.com [23/Mar/2012]
reportedtechniques.org 94.63.149.246 www.chinchillazucht.eu [02/Mar/2012]
reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [09/Jan/2012]
reportedtechniques.org 94.63.149.246 www.kurtlarvadisi.com [25/Jan/2012]
reportedtechniques.org 94.63.149.246 www.mhw-bike-house.de [27/Mar/2012]
reportedtechniques.org 94.63.149.246 www.panafilmforum.com [01/Feb/2012]
reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [06/Jan/2012]
reportedtechniques.org 94.63.149.246 www.schlosstaetscher.ch [24/Jan/2012]
reportedtechniques.org 94.63.149.246 www.w-en-ve.nl [19/Mar/2012]
severalcamp.com 94.63.149.246 www.stadtbredimus.lu [07/Feb/2012]
sslabssys.com 208.91.197.101 www.bestofpinball.de [17/Jan/2012]
teethalong.org 94.63.149.246 gyro-bau.ch [12/Mar/2012]
teethalong.org 94.63.149.246 gyro-bau.ch [23/Mar/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [15/Mar/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [24/Apr/2012]
teethalong.org 94.63.149.246 www.brautwelt.com [25/Apr/2012]
teethalong.org 94.63.149.246 www.demton.hu [08/Feb/2012]
teethalong.org 94.63.149.246 www.lotusnaturalspa.ch [04/Jan/2012]
thousandmilitary.com - lemobilierdesign.com [01/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [08/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [09/Feb/2012]
thousandmilitary.com - lemobilierdesign.com [09/Mar/2012]
thousandmilitary.com - pippatoledoshop.com [18/Feb/2012]
thousandmilitary.com - www.lemobilierdesign.com [12/Mar/2012]
thousandmilitary.com - www.lemobilierdesign.com [20/Apr/2012]
trackallnet.com - awmusic.ca [03/Mar/2012]
trackallnet.com - kueppersbusch.getware.de [07/Mar/2012]
trackallnet.com 94.63.149.246 kueppersbusch.getware.de [13/Jan/2012]
trialworld.net 69.43.161.177 www.smelugano2.ch [27/Mar/2012]
twiceseparate.com - insurancepersonalpropertyassessments.com [18/Jan/2012]
underbuild.net 94.63.149.246 rabita-ms.ch [09/Feb/2012]
underbuild.net 94.63.149.246 www.sudani.co.za [23/Apr/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [09/Mar/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [26/Jan/2012]
underbuild.net 94.63.149.246 www.unterwasserkamera.at [28/Feb/2012]
virtualmapping.org - www.globusgateway.ch [16/Jan/2012]
watchingsquare.com - www.comboxansagen.com [26/Mar/2012]

#--------------------------------------------------------------------------
# malware-domain malware-ip infected-website [date] (/url)
#--------------------------------------------------------------------------
52586.pballgames.com 77.79.11.96 www.apollonreisen.com [24/Apr/2012]
53771.peachtreepropainters.biz 77.79.11.96 www.flyksa.com [16/Apr/2012]
57298.learn2drive4free.com 178.211.33.203 www.autocamp-nordsee.com [19/Apr/2012]
59368.3d-tablet.cc 77.79.11.96 www.europschool.net [12/Apr/2012]
61503.3d-tablet.cc 77.79.11.96 europschool.net [26/Apr/2012]
62342.thepetserver.com 77.79.11.96 www.oceanview-house.com [24/Apr/2012]
ceprez.recycling-computers-portland.com 176.53.112.108 hellokittyfighters.de [19/Apr/2012]
fckery.getbetweenthecovers.com 178.211.33.203 www.ferienwohnung-hotels-kroatien.de [12/Apr/2012]


Of the 88 domains above, 60 servers still appear to be infected at this time.
Now part of me says "why haven't you already informed all website owners or hosters about the hacked servers?". But the other part thinks, why not use the hacked servers to get some more current trojan-downloader samples and infect some (VM) clients to study the C&C traffic and create new network indicators (since the "old" ET Snort rules seem ineffective now).

Well, and that's the challenge or request to other malware researchers, since I haven't been able to successfully download any samples recently.

I've shown in the wget logs how you can (try to) download an infector sample. Try it from a "home IP" and/or a "corporate IP-range" (should be safe with wget), you might get different results.

Actually, after taking a closer look at the files downloaded by wget, it looks like the malware download would only work with a browser. Take a look at the scripts at the end of one file.

So you probably won't get the malware using wget anymore.

When infecting a client, try using a corporate IP-, DNS-, Domain-config, since I believe "ipconfig" is called by the trojan-downloader and the further behaviour could depend on the ipconfig output.

If you're interested in researching this malware / botnet and are able to do any of the above mentioned I'd be very interested to hear from you.

Thanks for any help or feedback!

@c_APT_ure

Updated 2012-04-30:

I've collected some of my tweets about the Ponmocup malware here on Storify:
http://storify.com/c_APT_ure/a-v-failed-for-ponmocup-malware

So I found a new source of malware today, virusshare.com, thanks to Ken!
Searching for "ponmocup" I got 160 results, but I could download only 20.

Updated 2012-05-13:
I received the results for all 160 Ponmocup samples. See additional stats at the end.

Here is an analysis of the A/V detections of these 20 samples:

20 Panda
20 NOD32
20 Ikarus
20 GData
20 F-Secure
20 Emsisoft
20 DrWeb
20 BitDefender
20 Avast
19 Norman
19 Kaspersky
19 Fortinet
19 Comodo
19 AntiVir
19 AhnLab-V3
19 AVG
18 TrendMicro-HouseCall
18 TrendMicro
18 Microsoft
18 K7AntiVirus
17 nProtect
17 VIPRE
17 McAfee-GW-Edition
17 McAfee
17 Jiangmin
15 VirusBuster
15 Symantec
15 Sophos
14 VBA32
14 TheHacker
14 PCTools
11 F-Prot
11 Commtouch
10 SUPERAntiSpyware
9 Rising
9 ClamAV
9 Antiy-AVL
8 eTrust-Vet
8 ViRobot
6 ByteHero
5 eSafe
3 CAT-QuickHeal


And the detections are:

1 AVG = Downloader.Generic10.BMDC
1 AVG = Downloader.Generic10.BOLE
1 AVG = Downloader.Small.62.D
1 AVG = Dropper.Generic4.BXSO
8 AVG = Dropper.VB.CMD
1 AVG = Generic22.JDH
1 AVG = Generic25.AFPK
1 AVG = Generic25.AIJK
1 AVG = Generic25.BRLU
1 AVG = Generic25.BTFX
1 AVG = Generic25.BTHJ
1 AVG = Suspicion: unknown virus
1 AhnLab-V3 = Trojan/Win32.HDC
2 AhnLab-V3 = Trojan/Win32.Jorik
1 AhnLab-V3 = Trojan/Win32.Monder
5 AhnLab-V3 = Trojan/Win32.Pirminay
8 AhnLab-V3 = Trojan/Win32.Swisyn
1 AhnLab-V3 = Win-Trojan/Pirminay.313344.M
1 AhnLab-V3 = Win-Trojan/Pirminay.438601
1 AntiVir = TR/Crypt.XPACK.Gen
1 AntiVir = TR/Dldr.Ponmocup.A.393
1 AntiVir = TR/Downloader.Gen
1 AntiVir = TR/Graftor.1139.2
1 AntiVir = TR/Graftor.3421.1
1 AntiVir = TR/Graftor.3421.2
1 AntiVir = TR/Monder.mzyl
1 AntiVir = TR/Pirminay.bg.2
1 AntiVir = TR/Pirminay.bhf
1 AntiVir = TR/Pirminay.bhy
1 AntiVir = TR/Spy.438876.1
8 AntiVir = TR/VB.Downloader.Gen
2 Antiy-AVL = Trojan/Win32.Jorik
1 Antiy-AVL = Trojan/Win32.Jorik.gen
1 Antiy-AVL = Trojan/Win32.Monder
1 Antiy-AVL = Trojan/Win32.Pirminay
3 Antiy-AVL = Trojan/Win32.Pirminay.gen
1 Antiy-AVL = Trojan/win32.agent
8 Avast = Win32:Hosts-J [Trj]
1 Avast = Win32:Kryptik-WL [Trj]
1 Avast = Win32:MalOb-EI [Cryp]
7 Avast = Win32:Malware-gen
1 Avast = Win32:Pirminay-DW [Trj]
1 Avast = Win32:Spyware-gen [Spy]
1 Avast = Win32:Trojan-gen
1 BitDefender = Backdoor.Generic.542938
1 BitDefender = Gen:Variant.Graftor.1139
1 BitDefender = Gen:Variant.Graftor.3421
1 BitDefender = Gen:Variant.Vundo.11
1 BitDefender = Trojan.Generic.5274711
1 BitDefender = Trojan.Generic.6148391
2 BitDefender = Trojan.Generic.6270838
1 BitDefender = Trojan.Generic.6764589
1 BitDefender = Trojan.Generic.6871065
1 BitDefender = Trojan.Generic.6892427
1 BitDefender = Trojan.Generic.KD.393940
8 BitDefender = Trojan.QHosts.AVD
5 ByteHero = Trojan.Win32.Heur.Gen
1 ByteHero = Virus.Win32.Heur.p
1 CAT-QuickHeal = Trojan.Jorik.Pirminay.aoq
1 CAT-QuickHeal = Trojan.Monder.mzyl
1 CAT-QuickHeal = TrojanDownloader.Ponmocup.a
1 ClamAV = Trojan.Agent-183385
8 ClamAV = Trojan.VB-43290
2 Commtouch = W32/FakeAlert.FT.gen!Eldorado
1 Commtouch = W32/FakeAlert.LP.gen!Eldorado
8 Commtouch = W32/Swisyn.E.gen!Eldorado
8 Comodo = TrojWare.Win32.Swisyn.C
5 Comodo = TrojWare.Win32.Trojan.Agent.Gen
6 Comodo = UnclassifiedMalware
1 DrWeb = Trojan.DownLoader5.4289
1 DrWeb = Trojan.DownLoader5.5892
1 DrWeb = Trojan.Fakealert.26434
1 DrWeb = Trojan.Hosts.2582
9 DrWeb = Trojan.Hosts.303
1 DrWeb = Trojan.MulDrop1.59103
4 DrWeb = Trojan.WinSpy.1014
2 DrWeb = Trojan.WinSpy.origin
1 Emsisoft = Riskware.AdWare.Win32.SuperJuan!IK
6 Emsisoft = Trojan-Downloader.Win32.Ponmocup!IK
1 Emsisoft = Trojan.Pirminay!IK
4 Emsisoft = Trojan.Win32.Pirminay!IK
8 Emsisoft = Trojan.Win32.Swisyn!IK
2 F-Prot = W32/FakeAlert.FT.gen!Eldorado
1 F-Prot = W32/FakeAlert.LP.gen!Eldorado
8 F-Prot = W32/Swisyn.E.gen!Eldorado
1 F-Secure = Backdoor.Generic.542938
1 F-Secure = Gen:Variant.Graftor.1139
1 F-Secure = Gen:Variant.Graftor.3421
1 F-Secure = Gen:Variant.Vundo.11
1 F-Secure = Trojan.Generic.5274711
1 F-Secure = Trojan.Generic.6148391
2 F-Secure = Trojan.Generic.6270838
1 F-Secure = Trojan.Generic.6764589
1 F-Secure = Trojan.Generic.6871065
1 F-Secure = Trojan.Generic.6892427
1 F-Secure = Trojan.Generic.KD.393940
8 F-Secure = Trojan.QHosts.AVD
1 Fortinet = PossibleThreat
1 Fortinet = W32/Evx.BG!tr
1 Fortinet = W32/Jorik_Pirminay.ANO!tr
1 Fortinet = W32/Kryptik.ANL!tr
1 Fortinet = W32/Malware_fam.NB
1 Fortinet = W32/Monder.MZYL!tr
2 Fortinet = W32/Pirminay.A!tr
1 Fortinet = W32/Ponmocup.A
1 Fortinet = W32/Ponmocup.AA
8 Fortinet = W32/Swisyn.CQV!tr
1 Fortinet = W32/Virtum!tr
1 GData = Backdoor.Generic.542938
1 GData = Gen:Variant.Graftor.1139
1 GData = Gen:Variant.Graftor.3421
1 GData = Gen:Variant.Vundo.11
1 GData = Trojan.Generic.5274711
1 GData = Trojan.Generic.6148391
2 GData = Trojan.Generic.6270838
1 GData = Trojan.Generic.6764589
1 GData = Trojan.Generic.6871065
1 GData = Trojan.Generic.6892427
1 GData = Trojan.Generic.KD.393940
8 GData = Trojan.QHosts.AVD
6 Ikarus = Trojan-Downloader.Win32.Ponmocup
1 Ikarus = Trojan.Pirminay
4 Ikarus = Trojan.Win32.Pirminay
8 Ikarus = Trojan.Win32.Swisyn
1 Ikarus = not-a-virus:AdWare.Win32.SuperJuan
2 Jiangmin = Trojan/Generic.kfzm
1 Jiangmin = Trojan/Generic.kkfx
2 Jiangmin = Trojan/Generic.knvv
1 Jiangmin = Trojan/Pirminay.gr
1 Jiangmin = Trojan/Pirminay.gs
1 Jiangmin = Trojan/Pirminay.up
8 Jiangmin = Trojan/Swisyn.cby
1 Jiangmin = TrojanDownloader.Agent.ctuc
6 K7AntiVirus = Riskware
12 K7AntiVirus = Trojan
2 Kaspersky = HEUR:Trojan.Win32.Generic
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.ano
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.aoq
1 Kaspersky = Trojan.Win32.Jorik.Pirminay.avy
1 Kaspersky = Trojan.Win32.Monder.mzyl
1 Kaspersky = Trojan.Win32.Pirminay.bg
1 Kaspersky = Trojan.Win32.Pirminay.bhy
1 Kaspersky = Trojan.Win32.Pirminay.cub
1 Kaspersky = Trojan.Win32.Pirminay.hjy
1 Kaspersky = Trojan.Win32.Pirminay.hlu
8 Kaspersky = Trojan.Win32.Swisyn.jyb
1 McAfee = Downloader.a!bu
1 McAfee = Downloader.a!cc
1 McAfee = Downloader.a!vz
1 McAfee = Generic Downloader.x!g2z
1 McAfee = Generic.dx!yak
1 McAfee = Generic.evx!bd
2 McAfee = Generic.evx!bg
1 McAfee = Kryp.b
8 McAfee = Swisyn.s
1 McAfee-GW-Edition = Downloader.a!cc
1 McAfee-GW-Edition = Generic Downloader.x!g2z
1 McAfee-GW-Edition = Generic.dx!yak
1 McAfee-GW-Edition = Generic.evx!bd
2 McAfee-GW-Edition = Generic.evx!bg
4 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.A
1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.D
1 McAfee-GW-Edition = Heuristic.BehavesLike.Win32.Downloader.H
1 McAfee-GW-Edition = Heuristic.LooksLike.Trojan.Dropper.B
1 McAfee-GW-Edition = Kryp.b
3 McAfee-GW-Edition = Swisyn.s
1 Microsoft = Trojan:Win32/Meredrop
16 Microsoft = TrojanDownloader:Win32/Ponmocup.A
1 Microsoft = TrojanDownloader:Win32/Renos.KC
2 NOD32 = Win32/Ponmocup.AA
8 NOD32 = Win32/Qhost.NRX
2 NOD32 = Win32/TrojanDownloader.Agent.PXO
1 NOD32 = a variant of Win32/Kryptik.LLT
1 NOD32 = a variant of Win32/Kryptik.SWI
1 NOD32 = a variant of Win32/Kryptik.UFA
1 NOD32 = a variant of Win32/Kryptik.VDN
3 NOD32 = a variant of Win32/Ponmocup.AA
1 NOD32 = probably a variant of Win32/Agent.BTILRDN
8 Norman = W32/DLoader.ACMAD
3 Norman = W32/Kryptik.AIF
8 Norman = W32/Obfuscated.L
8 PCTools = Malware.Changeup
5 PCTools = Trojan.Gen
1 PCTools = Trojan.Milicenso
3 Panda = Generic Trojan
2 Panda = Suspicious file
1 Panda = Trj/Agent.OLO
6 Panda = Trj/CI.A
8 Panda = Trj/Qhost.LU
1 Rising = Trojan.Win32.Generic.129CDFF1
8 Rising = Trojan.Win32.QHost.awf
1 SUPERAntiSpyware = Trojan.Agent/Gen-Falcomp[RE]
2 SUPERAntiSpyware = Trojan.Agent/Gen-Falprod[RE]
5 SUPERAntiSpyware = Trojan.Agent/Gen-HackHost
2 SUPERAntiSpyware = Trojan.Agent/Gen-Qhost
2 Sophos = Mal/Generic-L
1 Sophos = Mal/Ponmocup-A
8 Sophos = Mal/Swisyn-D
1 Sophos = Sus/Behav-278
1 Sophos = Troj/Ponmo-A
2 Sophos = Troj/Virtum-Gen
1 Symantec = Suspicious.Cloud
5 Symantec = Trojan.Gen
1 Symantec = Trojan.Milicenso
7 Symantec = W32.Changeup!gen
1 Symantec = WS.Reputation.1
1 TheHacker = Trojan/Downloader.Agent.pxo
1 TheHacker = Trojan/Kryptik.vdn
1 TheHacker = Trojan/Pirminay.bhf
1 TheHacker = Trojan/Pirminay.bhy
1 TheHacker = Trojan/Pirminay.fwy
1 TheHacker = Trojan/Ponmocup.aa
8 TheHacker = Trojan/Swisyn.jyb
8 TrendMicro = TROJ_FAM_00001e3.TOMA
1 TrendMicro = TROJ_GEN.R11C7KB
1 TrendMicro = TROJ_GEN.R21C2F4
1 TrendMicro = TROJ_GEN.R21C2FE
1 TrendMicro = TROJ_GEN.R23C3BD
1 TrendMicro = TROJ_GEN.R3BCRBR
1 TrendMicro = TROJ_GEN.R47C7K8
1 TrendMicro = TROJ_GEN.R47C7KE
1 TrendMicro = TROJ_GEN.R4AC7KK
1 TrendMicro = TROJ_PONMOCUP.AB
1 TrendMicro = TROJ_PONMOCUP.AC
8 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA
1 TrendMicro-HouseCall = TROJ_GEN.R11C7KB
1 TrendMicro-HouseCall = TROJ_GEN.R21C2F4
1 TrendMicro-HouseCall = TROJ_GEN.R21C2FE
1 TrendMicro-HouseCall = TROJ_GEN.R23C3BD
1 TrendMicro-HouseCall = TROJ_GEN.R3BCRBR
1 TrendMicro-HouseCall = TROJ_GEN.R47C7K8
1 TrendMicro-HouseCall = TROJ_GEN.R47C7KE
1 TrendMicro-HouseCall = TROJ_GEN.R4AC7KK
1 TrendMicro-HouseCall = TROJ_PONMOCUP.AB
1 TrendMicro-HouseCall = TROJ_PONMOCUP.AC
1 VBA32 = SScope.Trojan.Pirminay.chc
8 VBA32 = SScope.Trojan.VB.0609
1 VBA32 = Trojan.Fksys.81105
1 VBA32 = Trojan.Jorik.Pirminay.ano
1 VBA32 = Trojan.Pirminay.bg
1 VBA32 = Trojan.Pirminay.cta
1 VBA32 = Trojan.Pirminay.fwz
1 VIPRE = Trojan-Downloader.Win32.Agent.ecjo (v)
7 VIPRE = Trojan.Win32.Generic!BT
1 VIPRE = Trojan.Win32.Monder.gen
8 VIPRE = Trojan.Win32.Swisyn.jyb (v)
8 ViRobot = Trojan.Win32.Swisyn.65024
1 VirusBuster = Trojan.Kryptik!XPYaFkgQJuY
1 VirusBuster = Trojan.Kryptik!YhtS8OcgDPE
1 VirusBuster = Trojan.Monder!KTXAshYxjGA
1 VirusBuster = Trojan.Pirminay!1T9hymiWPH0
1 VirusBuster = Trojan.Ponmocup!Qf/SCxIUIDk
1 VirusBuster = Trojan.Ponmocup!lGJTkqsZNdg
8 VirusBuster = Trojan.Swisyn!whPY1JLc4mw
1 VirusBuster = TrojanSpy.Agent!jdleA1Gsspg
1 eSafe = Win32.GenVariant.Gra
1 eSafe = Win32.HEURCrypted.E
1 eSafe = Win32.Milicenso
1 eSafe = Win32.TRGraftor
1 eSafe = Win32.Trojan
8 eTrust-Vet = Win32/Swisyn.R
1 nProtect = Backdoor/W32.Agent.294341
3 nProtect = Gen:Variant.Graftor.3421
1 nProtect = Trojan/W32.Jorik.219136.B
1 nProtect = Trojan/W32.Jorik.236032.B
1 nProtect = Trojan/W32.Jorik.243712.D
1 nProtect = Trojan/W32.Pirminay.17176
1 nProtect = Trojan/W32.Pirminay.313344
1 nProtect = Trojan/W32.Pirminay.438601
1 nProtect = Trojan/W32.QHosts.122880
1 nProtect = Trojan/W32.QHosts.147456
1 nProtect = Trojan/W32.Swisyn.126976.G
1 nProtect = Trojan/W32.Swisyn.157184
1 nProtect = Trojan/W32.Swisyn.184320.I
1 nProtect = Trojan/W32.Swisyn.241664.F
1 nProtect = Trojan/W32.Swisyn.79872


There is only one A/V product that recognized more than half the samples with the same detection name:

16 Microsoft = TrojanDownloader:Win32/Ponmocup.A

The samples MD5 are:

MD5 c23425f852e3ad188effc205317142fc
MD5 bb479a7e69c5e1c503aa6dd506c732f3
MD5 9e08f52039eeacf7f3e8696046358684
MD5 97a1acc085849c0b9af19adcf44607a7
MD5 f8fd20b40667882e9e7301fb76b890c0
MD5 4734169e48df4fea56bce65ec0e56066
MD5 fcac6af96d814f68c9a48d9cc5ad91ed
MD5 f7efabd89d9b4d4ee3f3b4875c11b47c
MD5 ffe728d69c233b6f09b016084be62270
MD5 edf380c2b7526cf521818af7d1ea6727
MD5 e918c9bd0093b52590c3c93751a84b56
MD5 e5dfa7c6ef3b2853a98f02178ffbfed8
MD5 cc699a17b1f9fc43d419f2d8cbf1e24b
MD5 b8a3097df22fe768639738fbf1afca98
MD5 b6babab0cbcc42a07d89df325ddeccdf
MD5 a939841b8e4724d1b0163b30f0d9baec
MD5 651589d6999c4017c8f42a9cabdb5a85
MD5 5e501ecbadd0a9d0f380f918f1c4986e
MD5 5b9ece2e5d16bdcb86e3ad8b3259991a
MD5 58d7c19e16e421440e372780832ecf61


And here are some more file details.


Updated 2012-05-13:
I received the results for all 160 Ponmocup samples. See additional stats at the end.

Here the number of detections of 160 samples for each A/V:

    158 GData
    158 BitDefender
    157 Ikarus
    155 AntiVir
    154 NOD32
    153 F-Secure
    151 AVG
    149 Avast
    148 VIPRE
    146 Panda
    145 Microsoft
    145 McAfee-GW-Edition
    141 McAfee
    141 Comodo
    140 AhnLab-V3
    138 Sophos
    138 Norman
    137 nProtect
    136 Kaspersky
    134 TrendMicro-HouseCall
    133 TrendMicro
    133 Emsisoft
    132 K7AntiVirus
    130 Symantec
    127 Jiangmin
    124 PCTools
    123 TheHacker
    123 Fortinet
    114 VirusBuster
    101 Avast5
    100 DrWeb
     99 Antiy-AVL
     88 VBA32
     78 CAT-QuickHeal
     65 SUPERAntiSpyware
     55 F-Prot
     55 Commtouch
     52 Rising
     46 eSafe
     34 eTrust-Vet
     34 ViRobot
     27 ClamAV
     12 ByteHero
      3 Prevx


Here the top 25 of detections with the same name:

    136 Microsoft = TrojanDownloader:Win32/Ponmocup.A
    106 Ikarus = Trojan.Win32.Pirminay
     96 VIPRE = Trojan.Win32.Generic!BT
     86 Emsisoft = Trojan.Win32.Pirminay!IK
     76 Comodo = TrojWare.Win32.Trojan.Agent.Gen
     76 Antiy-AVL = Trojan/Win32.Pirminay.gen
     74 Norman = W32/Obfuscated.L
     70 Panda = Trj/CI.A
     67 K7AntiVirus = Riskware
     63 K7AntiVirus = Trojan
     57 PCTools = Trojan.Gen
     56 Sophos = Mal/Generic-L
     52 Symantec = Trojan.Gen
     34 Avast = Win32:Malware-gen
     34 AhnLab-V3 = Trojan/Win32.Pirminay
     32 Sophos = Mal/Ponmocup-A
     32 NOD32 = Win32/TrojanDownloader.Agent.PXO
     32 Comodo = UnclassifiedMalware
     31 NOD32 = Win32/Qhost.NRX
     31 DrWeb = Trojan.Hosts.303
     30 eTrust-Vet = Win32/Swisyn.R
     30 VirusBuster = Trojan.Swisyn!whPY1JLc4mw
     30 ViRobot = Trojan.Win32.Swisyn.65024
     30 VIPRE = Trojan.Win32.Swisyn.jyb (v)
     30 TrendMicro-HouseCall = TROJ_FAM_00001e3.TOMA

Some A/V use these common names (Ponmocup, Pirminay, Swisyn) but with numbering the variants. Here are the number of different variants per A/V:

     53 AhnLab-V3
     40 AntiVir
      3 Antiy-AVL
     10 Avast
      8 Avast5
     56 CAT-QuickHeal
      1 ClamAV
      2 Commtouch
      1 Comodo
      4 Emsisoft
      2 F-Prot
     33 Fortinet
      4 Ikarus
     57 Jiangmin
     95 Kaspersky
      1 McAfee
      1 McAfee-GW-Edition
      1 Microsoft
      2 NOD32
      1 Panda
      3 Sophos
     60 TheHacker
      2 TrendMicro
      2 TrendMicro-HouseCall
     45 VBA32
      2 VIPRE
      3 ViRobot
     21 VirusBuster
      1 eSafe
      3 eTrust-Vet
     58 nProtect


Highlighted are some A/V with the most detections under one well-known name, some variants of a well-known name, or some generic name.

You can make of this statistic whatever you like.


Updated 2012-05-30:

Here is a list of Ponmocup redirection domains & IPs from April and May 2012:

2012-04-02 *.americancollegefootballleague.com 178.211.33.203
2012-04-02 *.peachtreepropainters.biz 77.79.11.96
2012-04-03 *.albinopleco.com 178.211.33.203
2012-04-03 *.peachtreepropainters.biz 77.79.11.96
2012-04-04 *.3d-tablet.cc 77.79.11.96
2012-04-05 *.peachtreepropainters.biz 77.79.11.96
2012-04-05 *.nnan.co 178.211.33.203
2012-04-10 *.peachtreepropainters.biz 77.79.11.96
2012-04-10 *.peachtreepropainters.biz 77.79.11.96
2012-04-11 *.peachtreepropainters.biz 77.79.11.96
2012-04-11 (fckery)*.getbetweenthecovers.com 178.211.33.203
2012-04-12 *.3d-tablet.cc 77.79.11.96
2012-04-12 (fckery)*.getbetweenthecovers.com 178.211.33.203
2012-04-16 *.peachtreepropainters.biz 77.79.11.96
2012-04-19 *.learn2drive4free.com 178.211.33.203
2012-04-19 (ceprez)*.recycling-computers-portland.com 176.53.112.108
2012-04-24 *.pballgames.com 77.79.11.96
2012-04-24 *.thepetserver.com 77.79.11.96
2012-04-26 *.3d-tablet.cc 77.79.11.96
2012-04-27 *.albinopleco.com 178.211.33.203
2012-05-01 *.crisisice.com 77.79.11.96
2012-05-02 (beawnca)*.buildyourbankaccount.com 178.211.33.202
2012-05-03 *.arizonabettas.com 178.211.33.203
2012-05-03 *.arizonabettas.com 178.211.33.203
2012-05-03 *.akitahusky.net 77.79.11.96
2012-05-10 *.arizonabettas.com 178.211.33.203
2012-05-11 *.customshowerdoorandclosets.com 176.53.112.107
2012-05-11 (vrizasita)*.savegrady.com 178.211.33.203
2012-05-15 (fliboyshit)*.zk28wines.com 178.211.33.205
2012-05-18 (belchar)*.psychicreadingstexas.com 178.211.33.205
2012-05-18 (fliboyshit)*.zk28wines.com 178.211.33.205
2012-05-19 *.peachtreepropainters.biz 77.79.11.96
2012-05-22 *.customshowerdoorandclosets.com 176.53.112.107
2012-05-23 (elianis)*.funfitnessconcepts.com 178.211.33.205
2012-05-24 *.learn2drive4free.com 178.211.33.203
2012-05-25 *.soroki.info 176.53.112.108
2012-05-25 *.3d-tablet.cc 77.79.11.96
2012-05-25 (derhana)*.ottawaapplianceservice.com 178.211.33.205
2012-05-29 (alqssas)*.kmpowersports.com 178.211.33.205


Since 2012-05-15 a new IP (178.211.33.205) has been used and several new domains.
The "*" subdomain is in place of the source-port number (4 - 5 digits), but recently I've seen some random alpha-char subdomains (e.g. "fliboyshit.zk28wines.com") which I've noted as "(random-alpha)*".

And here are some more infected servers: (malware-domain / infected-server-domain)

Using "/cgi-bin/r.cgi" redirection pattern:

herocopter.com  www.drdracingheads.com
earlyanswered.com  skyfield.eu
earlyanswered.com  www.thorenberg.ch
costslaid.com  www.comedy-hamburg.de
teethalong.org  www.brautwelt.com

Using "/url" redirection pattern:

turboldd.greensforum.com  www.tanz-tschui.ch
64890.customshowerdoorandclosets.com  www.novoglas.ch
elianis.funfitnessconcepts.com  shop.wiltec.info
62708.dancearkansas.com  www.westcoastsports.ca
40172.learn2drive4free.com  www.autocamp-nordsee.com
61136.3d-tablet.cc  www.europschool.net

54280.soroki.info  citv.nl
derhana.ottawaapplianceservice.com  www.zur-sonne.de
alqssas.kmpowersports.com  www.real-art.ch


The infection can still be verified with some online services like urlquery.net or Wepawet as this example shows: (for this type of infection urlvoid.com is ineffective!)

http://www.urlvoid.com/scan/zur-sonne.de/
Detections     0/32 (0.00%)
Status     CLEAN  -- is wrong!

http://urlquery.net/report.php?id=61463
http://urlquery.net/domainmap.php?id=61463

GET / HTTP/1.1
Host: www.zur-sonne.de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.ch/search?q=search

HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 30 May 2012 19:58:03 GMT
Server: Apache
Set-Cookie: wXu=88; path=/; domain=www.zur-sonne.de; expires=Thu, 07-Jun-2012 06:43:03 GMT
Location: http://derhana.ottawaapplianceservice.com/url?sa=D&source=web&cd=40&ved=0Y0njnzC0&url=http://www.zur-sonne.de/&ei=2ZIhfanJ4a20qo2MzFI19pu1pw==&usg=VtQuEf-ZH8RtWK5VeBWaYx&sig2=TcdEGbs2CczezFymxobGQs
Content-Length: 409
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive


http://www.urlvoid.com/scan/brautwelt.com/
Detections     0/32 (0.00%)
Status     CLEAN  -- is wrong!

http://urlquery.net/report.php?id=61035
http://urlquery.net/domainmap.php?id=61035

http://wepawet.cs.ucsb.edu/view.php?hash=7bd389d100b214c2c3d828a625a4d960&t=1338367510&type=js

So much for now, will update later :)


Updated 2012-05-31: new IP in new AS from Ukraine

Since yesterday there seems to be a new domain and IP used for redirection.

*.suncoastintegration.com / 91.207.4.51

http://urlquery.net/report.php?id=61824
http://urlquery.net/domainmap.php?id=61824

GET / HTTP/1.1
Host: www.haar-kosmetik-elke.at
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.ch/search?q=haare elke

HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 31 May 2012 15:22:26 GMT
Server: Apache
Set-Cookie: ycg=7; path=/; domain=www.haar-kosmetik-elke.at; expires=Thu, 07-Jun-2012 22:09:26 GMT
Location: http://64818.suncoastintegration.com/url?sa=D&source=web&cd=35&ved=0Uwyx0bHq&url=http://www.haar-kosmetik-elke.at/&ei=2ZIve67N5qe9r42LzFUw9Ju1pA==&usg=qxAULtLuZCKhxlKx8jozeI&sig2=Xbx4cH8V3ygWhtyx7magT7
Content-Length: 488
Connection: close