McAfee Labs

Variant of Pony Botnet Pickpockets Bitcoin Users

0
By on Jan 06, 2014

Last month the Pony Botnet became a household name when it was revealed that it had stolen more than two million social networking account passwords. This rather eye-catching headline is a side effect of the data that the botnet actually steals, which includes stored passwords, cache, and cookies from the following applications:

 

Chrome Cyberduck LeechFTP
Firefox Epic LinasFTP
Internet Explorer ExpanDrive Martin Prikryl
Opera FFFTP NCH Software
Windows Live Mail FileZilla NetSarang
BatMail FlashFXP Nichrome
BlazeFtp Fling NovaFTP
Bromium FTP Explorer Pocomail
BulletProof FTP FTPClient PuTTY
Chromium FTPHost Robo-FTP 3.7
ClassicFTP FTPRush RockMelt
Comodo FTPVoyager SFTP
Cryer Ghisler Thunderbird
CuteFTP 6, 7, 8 Global Downloader VanDyke
CuteFTP Lite K-Meleon Visicom Media
CuteFTP Pro LeapFTP

McAfee offers detection for Pony Botnet as Backdoor-FJW. This malware did not change much between May and November 2013, aside from the common tricks of malware authors to use custom packers to obfuscate their code from analysis. During a recent analysis of this threat, however, we have discovered a variant of the botnet that has added a small trick to its repertoire.

pony_bitcoin_upx

Once we removed the malware from its obfuscated shell we were able to see two small but important additions to the strings we would normally see in a pony botnet sample.

pont_bitcoin_strings

The preceding image shows the strings “wallet.dat” and “\Bitcoin” have been appended to the list of strings that we commonly see associated with this threat.Bitcoin has been in the news during the past year for its rising popularity, value, and the attention it has attracted from the cybercrime community. However, this is the first malware we have analyzed that seeks wallet.dat for exfiltration from a system. A close look at the functions used to accomplish this reveals that they work in much the same way that the malware has always stolen FTP credentials and server information.Using hardcoded strings and file names, the malware locates specific installed software from the list above in the registry and then extracts data from the data files known to coincide with that software.

pony_bitcoin_wallet

The malware operates in similar fashion here:

pony_bitcoin_ftp

There are two important takeaways from this analysis. The first is that encrypting your important information (Bitcoin wallet, confidential data, login information, etc.) cannot be overlooked. Simply having an encrypted Bitcoin wallet would render this new module useless for the malware authors. The second is that storing passwords or credentials in browsers or other software that you use to connect to any remote host is a bad idea. The threat landscape is constantly evolving: Even threats that have seemingly run their course pop up again with new tricks to meet their monetary goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>