2013-12-07 - Landscape

One ...random...Gameover Zeus Team Pony sample Story

Pony Icon above fragment of
Khaled Desouki Photo tied to Tharir Square events
Post to share some intel on the "Moar Pony" sample pointed by SpiderLabs in the "Moar Pony" FAQ.

<edit 2013-12-09>
Have been mentioned (and proved offline - Thanks Franc !) that the sample Spiderlabs is pointing too is not related to that Pony DB. It's a coincidence that it matches the scale.
--
Have fix this post accordingly
</edit>

AFAIK such a Huge Pony could be owned by only two teams.
The /Home/ Gang (Darkleech/Nymaim) or the ZGO Team (Gameover Zeus aka Zeus P2P)

(if you want to know more about those name please refer to : Paunch's arrest...The end of an Era !   )

I decided to write after reading :

FAQ: Pony Malware Payload Discovery  published yesterday by SpiderLabs team.

Reply to the Hash of the Pony
Looking at names under which that sample was submitted


I figured out that I was the one who submitted it on 2013-06-06.
So I made some search and can tell you where this specific sample come from.

It belongs to the Gameover Zeus team. The one that was operating the Blackhole /Topic/ when Paunch got Arrested. In June the thread Folder was /news/  (this can be confusing cause same thread folder has been used later by another group that Conrad from Dynamoo Blog refer as  ru:8080 )

Here is what I wrote in the "End of an Era post" :

"This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !

Distribution : Many compromised website (OT: they are also working a lot by mail attachments)
Threats : More than 60 threads. More than 2000 rotating samples a day.
 The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.
But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware."

That specific instance of pony was pushed in one of those thread. The one associated to the Blackhole file : abff4e31ce

You may find it in your logs (may/june at least) by looking for  :
2v:2w:33:33:1j:32:1i:1g:30:32
which was the pattern for that specific file  in June till Blackhole goes v2.1. Then that pattern became:
61626666346533316365
then
525357572h562g2e5456
and then
898a8e8ew98dw8w68b8d
etc....

This is the 2nd Parameter value of the Payload url...meaning if you see it...payload has been downloaded.


Illustration of 2nd Parameter value of the Payload url
For another file :
f6bd835642


Note : This was a way to follow a specific threat. I love graph and would be happy to show you a Fiddler of infection by this Pony...problem is that I don't have it...cause...wget is a far easier way to grab payload than High Interaction Honey Client. Yes wget <3 Blackhole :)

I have at least  480 items of that same rotating instance of Pony.
Here is the MD5 list : http://pastebin.com/raw.php?i=VTKCDDSE
Here are the samples

Disclaimer !!
I know that many other "instances" of Pony from this group were discussing with that same CnC infra. from  other threads of same Blackhole, from fake Chrome/Flash update, from mail attachments. You already read about their activity multiple time. I just filtered the one that were from the exact same rotation...


To give you an idea, from the Blackhole of that team I grabbed from April to September around : 245 000 samples.
 Now you may understand if I confess that i feel almost sad looking at the picture of Paunch published by CertGIB ;)


-- Side note :
They were not using the leaked version of Pony. Coder of that loader/stealer may even be member of that team (or at least was really tied to it)

Read More :
Two million stolen passwords: How to protect yourself - 2013-12-06 - Spiderlabs
FAQ: Pony Malware Payload Discovery - 2013-12-06 - Spiderlabs
Look What I Found: Moar Pony! 2013-12-03 - Daniel Chechik and Anat (Fox) Davidi - SpiderLabs
Paunch's arrest...The end of an Era ! 2013-10-11
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign 2013-06-04 Hendrik Adrian - MalwareMustDie
ZeuS-P2P monitoring and analysis - PDF - 2013-06 - CertPL
Fake Adobe Flash Updates Resurface on the Web - 2013-01-24 - Jovi Umawing - ThreatTrack
The Lifecycle of Peer-to-Peer (Gameover) ZeuS - 2012-07-23 -  Brett Stone-Gross, Dell SecureWorks