Wednesday, June 27, 2012

History of Ponmocup Malware / Botnet

This is a history of some events and publications about the Ponmocup malware or botnet.
(work in progress -- will get updated eventually)

There are many aliases from different A/V vendors as previously mentioned on my blog
(Ponmocup, Pirminay, Kryptik, Swisyn, Vundo, Monder, Virtumonde/Virtumondo etc.).
The most often used lately is "Trojan Milicenso" by Symantec, which has a good blog post and detection description about it..
And it's been around at least since 2009, not just 2010 as mentioned in several places.

Update 2012-08-13: there have been some more related posts published since my original post

2012-07-02: Symantec blog "Printer Madness: W32.Printlove Video"

2012-06-25: ComputerWorld article "Malware infection forces printers to print garbled data"
2012-06-25: ITWorld "Printer malware – Wingdings gone wild"

2012-06-23: The Hacker News "Trojan.Milicenso - Printer Trojan cause massive printing"

2012-06-22: ZDNet "Thousands of office printers hit by 'gibberish' malware"
2012-06-22: Bloomberg Tech Blog "When Hackers Fumble: ‘Printer Bomb’ Noisily Announces Attack"
2012-06-22: NET-Security "Trojan infection triggers massive printing jobs"

2012-06-21: ARStechnica "Printer bomb malware wastes reams of paper, sparks pandemonium"
2012-06-21: SANS ISC diary "Print Bomb? (Take 2)"
2012-06-21: Symantec blog "Trojan.Milicenso: A Paper Salesman’s Dream Come True"

2012-06-14: Symantec KB article "Malware is causing network printers to print random ASCII characters"

2012-06-13: Mcafee Threat Advisory "Vundo"

2012-06-08: SANS ISC diary "Print Bomb?" (see also comments)
2012-06-08: Symantec forum thread "Print server gone wild"

2012-06-07: McAfee community forum thread "Printer Virus?"

2012-06-03: c-APT-ure blog post "Introducing Ponmocup-Finder"

2012-05-16: Sophos detection "Troj/Ponmocup-F"

2012-04-27: c-APT-ure blog post "Hunting Ponmocup Botnet"

2012-04-13: Collection of my tweets on Storify "A/V failed for Ponmocup malware!?"

2012-04-08: IOC on ForensicArtifacts.com "Ponmocup IOC released"

2012-03-08: c-APT-ure blog post "Ponmocup, lots changed, but not all"

2012-02-20: Ponmocup analysis page created "Why so many diff A/V detections?"

2012-02-18: c-APT-ure blog post "Not APT, but nasty malware (Ponmocup botnet)"

2011-11-15: Mandiant forum thread started "IOC request for Ponmocup malware (botnet)"

2011-05-30: created web page "Collection of links related to the Ponmocup botnet"

2011-05-23: Abuse.ch blog "How Big is Big? Some Botnet Statistics"

2011-04-22: TrendMicro detection "TSPY_PIRMINAY.A"

2011-04-21: Malware Survival "Media Site Pimping Malware"

2011-04-20: Sophos detection "Mal/Ponmocup-A" (detailed analysis of 3 samples)

2010-12-06: SPAMfighter news: "New Trojan Blocks Access To Bittorrent Websites: Webroot"

2010-11-25: Softpedia news "The Pirate Bay and Mininova Blocked by Mysterious New Trojan"

2010-11-24: Webroot blog "Troublesome Trojan Trammels Torrent Sites"

2010-07-14: Symantec detection created "Trojan.Milicenso"

2010-06-04: Microsoft MPC Encyclopedia entry "TrojanDownloader:Win32/Ponmocup.A"

2010-03-19: Sophos detection "Troj/Mdrop-CLC"

2009-12-30: Microsoft MPC Detection initially created "TrojanDropper:Win32/Ponmocup.A"

2009-11-22: Microsoft MPC Detection initially created "TrojanDownloader:Win32/Ponmocup.A"

Please report any broken (or obviously wrong) links, thanks.

Feedback and questions are welcome!

@c_APT_ure

Sunday, June 3, 2012

Introducing Ponmocup-Finder

Update 2013-06-01:
Please also read my newer blog posts about Ponmocup:
Ponmocup-Finder has evolved in a little "workflow" :-)
  1. add new infected domains to the list
  2. daily cronjob to run Ponmocup-Finder
  3. latest Ponmocup-Finder script
  4. list of currently infected webservers
  5. history of all previously infected webservers
  6. notification lists for CH / LI and DE domains
If you can do notifications for any infected webservers, go ahead and feel free to let me know.

It would be great to see some search engines (like Google, MS Bing etc.) to add checks for these infections to their spiders (need to change user-agents just for one request per site), since infections happen only through search engine redirects.

Update 2012-10-18:
Finally I updated the ponmocup-finder script as promised. I also managed to download a new infector and analyze the malware in a VM. You can also just look at some screenshots of the analysis.
And lastly here are some network indicators of C2:

  intohave.com / 64.179.44.188  (DNS request only)
  88.216.164.117

For more malicious domains and IPs you can download my malware feeds (also using CIF) here:

http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt



Update 2012-09-25:
The Ponmocup finder script needs some update / tweeking, since the redirection URL patterns changed massively again (samples). Instead of just checking for the two previously known URL patterns ("/url\?sa=|/cgi-bin/r.cgi\?p=") it should check if the infected website domain appears in the URI parameters of the redirection URL. I will update the script on this post as soon as I find time.

You may have recently read a lot of hype about Flame or SkyWiper "cyber weapon", the son (or big brother) of Stuxnet and Duqu, which was found on a few thousand systems in a limited number of countries for espionage. Interesting and somewhat impressive, but this post is not about any of this stuff.

The Ponmocup malware and botnet is something totally different. A year ago the botnet was several million bots big (at least 4 million IPs, maybe a multiple thereof number of bots) [1]. And it does not target or discriminate against any specific country, so chances are likely bigger that you may find one of these bots in your network than a Flame infection.
Please read my previous three posts about Ponmocup to get an idea of what it is and how it works.


[1] Not APT, but nasty malware (Ponmocup botnet)
[2] Ponmocup, lots changed, but not all
[3] Hunting Ponmocup Botnet

Just to clarify something first, this post is more about detecting hacked or infected web servers redirecting unsuspecting visitors to malware downloads than about detecting infected bots themself. For the latter see my request to researchers to find current C&C domains in [3].

I don't know of any service including all 32 from urlvoid.com that detects these infected web servers.

So I threw together this little shell script that takes a list of domains and checks each domain with a single request if it's infected and redirecting visitors to Ponmocup malware (see [2]).

This script is aimed at registrars, ISPs, web hosters, GovCERTs, malware researchers, botnet hunters, or generally anyone who wants to find (and hopefully report) infected web servers and who has access to a large number of domains.

$ cat ponmocup-finder.sh
#!/bin/bash
echo "date started: `date`"
cat $1 | \
while read domain; do
  echo -ne "checking domain: $domain --> ";
  wget -Sv --tries=1 --connect-timeout=5 \
    --user-agent="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" \
    --referer="http://www.google.ch/search?q=ponmocup+check" \
    http://${domain}/ -O ${domain}.out > ${domain}_wget.log 2>&1
  redir=`egrep -m 1 "Location: " ${domain}_wget.log`
## match=`echo $redir | egrep "(/url\?sa=|/cgi-bin/r.cgi\?p=)" | wc -l`
  match=`echo $redir | cut -d"?" -f2- | egrep "$domain" | wc -l`
  if [ $match -gt 0 ]
  then
    echo -ne "seems to be INFECTED: "
    echo -ne `echo $redir | cut -d" " -f2 | cut -d"?" -f1`
    egrep -m 2 "Resolving " ${domain}_wget.log | tail -1 | sed -e 's/Resolving/ --> DNS:/g'
  else
    echo "seems to be CLEAN"
  fi
done
echo "date finished: `date`"


Now let's run this script with a list of 88 domains (known to have been previously infected)

$ ./ponmocup-finder.sh domains-1.txt | tee ponmocup-finder_domains-1.log
checking domain: aviationhumor.net --> seems to be INFECTED: http://philosophymercer.com/cgi-bin/r.cgi --> DNS: philosophymercer.com... 62.212.74.228
checking domain: bgs-architekten.com --> seems to be INFECTED: http://capitalinformer.com/cgi-bin/r.cgi --> DNS: capitalinformer.com... 82.98.86.165

...
checking domain: www.w-en-ve.nl --> seems to be INFECTED: http://reportedtechniques.org/cgi-bin/r.cgi --> DNS: reportedtechniques.org... 208.91.197.108

How long did it take to check these 88 domains?  About 160 seconds

$ egrep "date " ponmocup-finder_domains-1.log
date started: Sat Jun  2 18:33:08 CEST 2012
date finished: Sat Jun  2 18:35:48 CEST 2012


Let's separate the clean and infected domains and do some stats:

$ egrep CLEAN ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_CLEAN.log
$ egrep INFECTED ponmocup-finder_domains-1.log > ponmocup-finder_domains-1_INFECTED.log
$ wc -l ponmocup-finder_domains-1_*.log
   36 ponmocup-finder_domains-1_CLEAN.log
   52 ponmocup-finder_domains-1_INFECTED.log
   88 total

Let's look at the malware domains and IPs: (these are not C&C domains of infected clients)

Important note: some of the older, inactive domains appear to have been grabbed by some domain parking services. Thus not all domains and IPs below are used for malware distribution. I need to separate the good from the bad and ugly (later).

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2" "$1 }' | sort | uniq -c
      1 176.53.112.108 ceprez.recycling-computers-portland.com...
      1 178.211.33.202 49847.hotel-sarajevo.com...
      1 178.211.33.202 lerberg.belanyi.com...
      1 178.211.33.203 38831.learn2drive4free.com...
      1 178.211.33.203 45215.thomasyohannan.com...
      1 178.211.33.203 46722.azangelfish.com...
      1 178.211.33.205 vamped.wonderfulroofing.com...
      3 199.59.241.218 herocopter.com...
      3 199.59.241.218 indanetwall.net...
      1 199.59.241.218 infernomag.com...
      2 208.91.197.108 reportedtechniques.org...
      2 217.11.251.173 underbuild.net...
      6 62.212.74.224 lewisentitled.com...
      2 62.212.74.228 philosophymercer.com...
      1 69.43.161.177 trialworld.net...
      1 77.79.11.96 45531.3d-tablet.cc...
      1 77.79.11.96 45585.3d-tablet.cc...
      2 82.98.86.165 capitalinformer.com...
      1 8.5.1.34 jesusonlynet.org...
      1 91.207.4.51 41950.thepetserver.com...
      1 91.207.4.51 52984.pballgames.com...
      1 94.63.149.247 handsexual.com...
      1 failed: 35803.finishline-fitness.co.uk...
      1 failed: 43560.vicandbarbs.net...
      1 failed: apartliberal.com...
      4 failed: besidesdream.com...
      2 failed: costslaid.com...
      3 failed: dutytraditional.net...
      1 failed: earlyanswered.com...
      1 failed: interestingchapter.net...
      1 failed: thousandmilitary.com...
      1 failed: twiceseparate.com...
      1 failed: watchingsquare.com...

And here are just the IPs:

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2 }' | sort | uniq -c
      1 176.53.112.108
      2 178.211.33.202
      3 178.211.33.203
      1 178.211.33.205
      7 199.59.241.218
      2 208.91.197.108
      2 217.11.251.173
      6 62.212.74.224
      2 62.212.74.228
      1 69.43.161.177
      2 77.79.11.96
      2 82.98.86.165
      1 8.5.1.34
      2 91.207.4.51
      1 94.63.149.247
     17 failed:

And here's a list of all malware domains and IPs discovered: (numeric only subdomains replaced with "*")

$ cat ponmocup-finder_domains-1_INFECTED.log | cut -d":" -f5- | awk '{ print $2"\n"$1 }' | sed -e 's/[0-9][0-9][0-9][0-9][0-9]/\*/g' | sed -e 's/\.\.\.//g' | sort | uniq | egrep -v failed
176.53.112.108
178.211.33.202
178.211.33.203
178.211.33.205
199.59.241.218
208.91.197.108
217.11.251.173
62.212.74.224
62.212.74.228
69.43.161.177
77.79.11.96
82.98.86.165
8.5.1.34
91.207.4.51
94.63.149.247
*.3d-tablet.cc
apartliberal.com
*.azangelfish.com
besidesdream.com
capitalinformer.com
ceprez.recycling-computers-portland.com
costslaid.com
dutytraditional.net
earlyanswered.com
*.finishline-fitness.co.uk
handsexual.com
herocopter.com
*.hotel-sarajevo.com
indanetwall.net
infernomag.com
interestingchapter.net
jesusonlynet.org
*.learn2drive4free.com
lerberg.belanyi.com
lewisentitled.com
*.pballgames.com
philosophymercer.com
reportedtechniques.org
*.thepetserver.com
*.thomasyohannan.com
thousandmilitary.com
trialworld.net
twiceseparate.com
underbuild.net
vamped.wonderfulroofing.com
*.vicandbarbs.net
watchingsquare.com

And here's the list of infected domains (servers with malicious .htaccess file)


$ cat ponmocup-finder_domains-1_INFECTED.log | awk '{ print $3 }' | sort | uniq
aviationhumor.net
bgs-architekten.com
cryptonaux.co.uk
europschool.net
flowerbouquetsforweddings.com
hellokittyfighters.de
insurancepersonalpropertyassessments.com
pippatoledoshop.com
rabita-ms.ch
schoenstefaschingskostueme.com
www.apollonreisen.com
www.armsnetafrica.org
www.artistas-americanos.com
www.autocamp-nordsee.com
www.aylar.no
www.babfinance.net
www.canadawideflowers.ca
www.chinchillazucht.eu
www.demton.hu
www.dynam-med.info
www.europschool.net
www.extremebusa.com
www.feliceapicella.it
www.ferienwohnung-hotels-kroatien.de
www.flowerbouquetsforweddings.com
www.football-session.com
www.forexonlinegeheimnisse.com
www.guatemala-tourisme.info
www.hexenkostueme.com
www.hillsidebeachclub.com
www.hotelanderoper.com
www.hypequest.com
www.jenniferhejna.com
www.krcgent.be
www.lotex24.net
www.lotusnaturalspa.ch
www.moebel-direkt.net
www.oceanview-house.com
www.pr-klartext.de
www.ps3-fifaliga.de
www.radiofreecuba.com
www.smelugano2.ch
www.stadtbredimus.lu
www.stublla.net
www.sudani.co.za
www.swisshelp.info
www.thehighheelstore.com
www.theleesonhotel.com
www.titan.vc
www.vdomil.com
www.voegelitherapie.com
www.w-en-ve.nl

I'd be curious to know what percentage (or ppm) of any list of domains would be infected. Anyone wants to take a guess?