2013-12-07 - Landscape
One ...random...Gameover Zeus Team Pony sample Story
 |
| Pony Icon above fragment of Khaled Desouki Photo tied to Tharir Square events |
<edit 2013-12-09>
Have been mentioned (and proved offline - Thanks Franc !) that the sample Spiderlabs is pointing too is not related to that Pony DB. It's a coincidence that it matches the scale.
--
Have fix this post accordingly
</edit>
AFAIK such a Huge Pony could be owned by only two teams.
The /Home/ Gang (Darkleech/Nymaim) or the ZGO Team (Gameover Zeus aka Zeus P2P)
(if you want to know more about those name please refer to : Paunch's arrest...The end of an Era ! )
I decided to write after reading :
FAQ: Pony Malware Payload Discovery published yesterday by SpiderLabs team.
 |
| Reply to the Hash of the Pony |
I figured out that I was the one who submitted it on 2013-06-06.
So I made some search and can tell you where this specific sample come from.
It belongs to the Gameover Zeus team. The one that was operating the Blackhole /Topic/ when Paunch got Arrested. In June the thread Folder was /news/ (this can be confusing cause same thread folder has been used later by another group that Conrad from Dynamoo Blog refer as ru:8080 )
Here is what I wrote in the "End of an Era post" :
"This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !
Distribution : Many compromised website (OT: they are also working a lot by mail attachments)
Threats : More than 60 threads. More than 2000 rotating samples a day.
The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.
But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware."
That specific instance of pony was pushed in one of those thread. The one associated to the Blackhole file : abff4e31ce
You may find it in your logs (may/june at least) by looking for :
2v:2w:33:33:1j:32:1i:1g:30:32
which was the pattern for that specific file in June till Blackhole goes v2.1. Then that pattern became:
61626666346533316365
then
525357572h562g2e5456
and then
898a8e8ew98dw8w68b8d
etc....
This is the 2nd Parameter value of the Payload url...meaning if you see it...payload has been downloaded.
 |
| Illustration of 2nd Parameter value of the Payload url For another file : f6bd835642 |
Note : This was a way to follow a specific threat. I love graph and would be happy to show you a Fiddler of infection by this Pony...problem is that I don't have it...cause...wget is a far easier way to grab payload than High Interaction Honey Client. Yes wget <3 Blackhole :)
I have at least 480 items of that same rotating instance of Pony.
Here is the MD5 list : http://pastebin.com/raw.php?i=VTKCDDSE
Here are the samples
Disclaimer !!
I know that many other "instances" of Pony from this group were discussing with that same CnC infra. from other threads of same Blackhole, from fake Chrome/Flash update, from mail attachments. You already read about their activity multiple time. I just filtered the one that were from the exact same rotation...
To give you an idea, from the Blackhole of that team I grabbed from April to September around : 245 000 samples.
Now you may understand if I confess that i feel almost sad looking at the picture of Paunch published by CertGIB ;)
-- Side note :
They were not using the leaked version of Pony. Coder of that loader/stealer may even be member of that team (or at least was really tied to it)
Read More :
Two million stolen passwords: How to protect yourself - 2013-12-06 - Spiderlabs
FAQ: Pony Malware Payload Discovery - 2013-12-06 - Spiderlabs
Look What I Found: Moar Pony! 2013-12-03 - Daniel Chechik and Anat (Fox) Davidi - SpiderLabs
Paunch's arrest...The end of an Era ! 2013-10-11
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign 2013-06-04 Hendrik Adrian - MalwareMustDie
ZeuS-P2P monitoring and analysis - PDF - 2013-06 - CertPL
Fake Adobe Flash Updates Resurface on the Web - 2013-01-24 - Jovi Umawing - ThreatTrack
The Lifecycle of Peer-to-Peer (Gameover) ZeuS - 2012-07-23 - Brett Stone-Gross, Dell SecureWorks
Look What I Found: Moar Pony! 2013-12-03 - Daniel Chechik and Anat (Fox) Davidi - SpiderLabs
Paunch's arrest...The end of an Era ! 2013-10-11
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign 2013-06-04 Hendrik Adrian - MalwareMustDie
ZeuS-P2P monitoring and analysis - PDF - 2013-06 - CertPL
Fake Adobe Flash Updates Resurface on the Web - 2013-01-24 - Jovi Umawing - ThreatTrack
The Lifecycle of Peer-to-Peer (Gameover) ZeuS - 2012-07-23 - Brett Stone-Gross, Dell SecureWorks