I've been putting most of my research on a privately hosted page here:
(Sorry about the bad formatting and strange URL)
My very latest "OSINT research" is on the following page:
It shows that you can find many (recent and old) analysis reports just by googling a couple of registry keys or domains. These would also be good indicators to look for (hint).
My biggest questions are:
Why is this malware known under so many different names?
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)
Why aren't AV companies connecting the dots?
So I would be interested to know if these keys exist on a clean system under any circumstance?the existence or creation of a registry key, namely
There has been some cooperation to create IOC's and ET snort rules to detect this malware:
A friend of mine (from abuse.ch blog and zeustracker) was able to sinkhole some C&C domains for a while to estimate the botnet size and it seemed to be quite big at that time: (April - May 2011)
How Big is Big? Some Botnet Statistics
By the way, I've been tweeting about some general malware threat intel recently, which caught some attention on Digital4rensics blog (thanks Keith!)
How do you share your malware and threat intelligence?
Do you know of better ways or platforms to do it?
Feedback is welcome!