Ponmocup: Largest Botnet 500k Current Infections

by

Checking your Logs for anomalies is getting more difficult as time goes on.

There is a new report out by FOX IT¹ and the report dissects a long running botnet (botnet is a program that connects to itself across the Internet). This botnet may be considered the largest and longest running as it started around early 2000 time era.  At its peak in July 2011 there were 2.4 million infections.

ponmocupfoxitinfections

A botnet is a term that describes a bunch of computers (usually in the thousands) that are connected through a managing computer.  this managing computer will control the thousands of computers and usually tell them to perform specific tasks.

 

The Ponmocup botnet is designed to learn information from the infected computers.  This botnet is Russian in origin as the instructions for business partners are in the Russian language. The interesting note is that Ponmocup has not infected post-Soviet countries.

This is a sophisticated program as it has 7 components (or also known as functions)

  1. delivery  – how to infect
  2. installer – installs itself and persists on the victim’s machine
  3. initiator – a Dynamic Link library (dll)  disguises itself and loads into memory
  4. Loader – Loads itself into the windows registry, finds the main module
  5. main module – communicated with Command and control server (this is how it is controlled)
  6. plug-ins – provide specific functionality
  7. back-end infrastructure – used to control compromised system

 

This program has likely taken some time to perfect and is likely being worked on and improved as most standard programs.

The idea is for the botnet program to defeat detection of most anti-virus programs (otherwise it will not work).

You can see in the report’s images of

 

Victim –>       firewall –>   botnet  backend infrastructure, monitor, and plugins —> controlled by what is called the Command and Control servers (criminal operator)

ponmocup-botnet-infrastructureimage

we will continue to investigate this botnet as there is a lot of information on the Internet from past investigations, like the SANS online PDF² “My name is Hunter, Ponmocup Hunter”.

And this is an interesting image from that investigation (2013).

SANSponmocupinvestigation

What stands out to me in this image from SANS is that Ponmocup tries very hard to hide it’s trail.

 

I will continue to analyze this for my clients as to how we can find this difficult to find botnet program.

 

Contact Us

 

 

 

 

 

 

 

 

 

  1. https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf
  2. https://digital-forensics.sans.org/summit-archives/DFIR_Summit/My-Name-is-Hunter-Ponmocup-Hunter-Tom-Ueltschi.pdf

1 thought on “Ponmocup: Largest Botnet 500k Current Infections”

  1. Pingback: TORA! TORA! TORA! Pearl Harbor 74 years ago! | Oversite Sentry

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.