DooMsDay
06-13-2013, 10:14 PM
For the past few months has been detected at Crimeware scene a new class of Malware called PONY Bonet. The Pony Control panel is identified by the logo of a this animal that appears in the famous Facebook game "Farmville"
http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg
The login screen panel of this new botnet Pony is:
http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s400/pony-login-B.jpg
Once control panel is accessed, it displays a menu with all available options. It can see that has been developed to capture all types of passwords and login credentials of infected users when they access applications and Internet sites. This is a very powerful type of Spy - Keylogger Malware with very dangerous features.
http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s400/pony-B.jpg
Pony Trojan is configured to capture all kinds of confidential information and access passwords for the following applications:
Passwords for FTP and SSH servers. The Trojan is able to recognize almost all FTP & SSH applications both commercial and opensource and extract its credentials:
System Info , FAR Manager , Total Commander , WS_FTP , CuteFTP , FlashFXP , FileZilla , FTP commander , BulletProof FTP , SmartFTP , TurboFTP , FFFTP , CoffeeCup FTP / Sitemapper , CoreFTP , FTP Explorer , Frigate3 FTP , SecureFX , UltraFXP , FTPRush , WebSitePublisher , BitKinex , ExpanDrive , ClassicFTP , Fling , SoftX , Directory Opus , FreeFTP / DirectFTP , LeapFTP , WinSCP , 32bit FTP , NetDrive , WebDrive , FTP Control , Opera , WiseFTP , FTP Voyager , Firefox , FireFTP , SeaMonkey , Flock , Mozilla , LeechFTP , Odin Secure FTP Expert , WinFTP , FTP Surfer , FTPGetter , ALFTP , Internet Explorer , Dreamweaver , DeluxeFTP , Google Chrome , Chromium / SRWare Iron , ChromePlus , Bromium (Yandex Chrome) , Nichrome , Comodo Dragon , RockMelt , K-Meleon , Epic , Staff-FTP , AceFTP , Global Downloader , FreshFTP , BlazeFTP , NETFile , GoFTP , 3D-FTP , Easy FTP , Xftp , FTP Now , Robo-FTP , LinasFTP , Cyberduck , Putty , Notepad++ , CoffeeCup Visual Site Designer , FTPShell , FTPInfo , NexusFile , FastStone Browser , CoolNovo , WinZip , Yandex.Internet , MyFTP , sherrod FTP , NovaFTP , Windows Mail , Windows Live Mail , Becky! , Pocomail , IncrediMail , The Bat! , Outlook , Thunderbird , FastTrack .
Screen from menu management of the FTP grabber :
http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s320/pony-ftp.jpg
Also captures all kind of e-mails and their passwords, stored certificates and RDP passwords
http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s400/pony-other.jpg
Control panel allows capturing all types of passwords for loging web applications on HTTP and HTTPS. It has a very powerful filter to configure Captures, selecting or excluding Internet domains to start capturing data when infected users access in these pages, and selects by text strings, domains , countries , dates, etc.
http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s400/pony-http.jpg
The statistical panel shows confidential data captured from Web browsing of infected users.
http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s400/pony-reports.jpg
compromised Users by the Trojan Pony are ordered by their IP, the information gathered can be selected for each user by selecting the desired IP profile:
http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s400/pony-reports2-B.jpg
It is very interesting to see in the statistical panel the variety of data types that can be captured by the Trojan from infected users
http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s400/pony2.jpg
http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s400/pony-statistics.jpg
All captured data is encrypted and stored in a MySQL database to prevent being stolen if someone gains access to this information:
http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg
Finally we present part of file structure of the KIT PONY Troyan
http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s400/files-kit.jpg
Also Have been found other malicious addresses containing Pony panels actives at:
hXXp://217.195.200.12:8080/ponyb/admin.php
hXXp://195.5.208.204:8080/ponyb/admin.php
hXXp://9jal33ts.com/ponysample/admin.php
hXXp://198.27.83.179/popo/
hXXp: http://hostohu.net/p0x/admin.php
hXXp://vpro.juplo.com/p/admin.php
DOWNLOAD:
http://dmn.i-vis.ru/Pony 1.9.zip
http://2.bp.blogspot.com/-pjMkhVqiz1U/UPMGzibcehI/AAAAAAAAAYc/pIlrdmKeKhA/s1600/pony-logo.jpg
The login screen panel of this new botnet Pony is:
http://4.bp.blogspot.com/-5VOka5kVYjo/UPMITeUATQI/AAAAAAAAAY4/yWDsh1sZLfI/s400/pony-login-B.jpg
Once control panel is accessed, it displays a menu with all available options. It can see that has been developed to capture all types of passwords and login credentials of infected users when they access applications and Internet sites. This is a very powerful type of Spy - Keylogger Malware with very dangerous features.
http://2.bp.blogspot.com/-aT1hHqvjke4/UPMN_FVIaHI/AAAAAAAAAZU/FrolNuSjymU/s400/pony-B.jpg
Pony Trojan is configured to capture all kinds of confidential information and access passwords for the following applications:
Passwords for FTP and SSH servers. The Trojan is able to recognize almost all FTP & SSH applications both commercial and opensource and extract its credentials:
System Info , FAR Manager , Total Commander , WS_FTP , CuteFTP , FlashFXP , FileZilla , FTP commander , BulletProof FTP , SmartFTP , TurboFTP , FFFTP , CoffeeCup FTP / Sitemapper , CoreFTP , FTP Explorer , Frigate3 FTP , SecureFX , UltraFXP , FTPRush , WebSitePublisher , BitKinex , ExpanDrive , ClassicFTP , Fling , SoftX , Directory Opus , FreeFTP / DirectFTP , LeapFTP , WinSCP , 32bit FTP , NetDrive , WebDrive , FTP Control , Opera , WiseFTP , FTP Voyager , Firefox , FireFTP , SeaMonkey , Flock , Mozilla , LeechFTP , Odin Secure FTP Expert , WinFTP , FTP Surfer , FTPGetter , ALFTP , Internet Explorer , Dreamweaver , DeluxeFTP , Google Chrome , Chromium / SRWare Iron , ChromePlus , Bromium (Yandex Chrome) , Nichrome , Comodo Dragon , RockMelt , K-Meleon , Epic , Staff-FTP , AceFTP , Global Downloader , FreshFTP , BlazeFTP , NETFile , GoFTP , 3D-FTP , Easy FTP , Xftp , FTP Now , Robo-FTP , LinasFTP , Cyberduck , Putty , Notepad++ , CoffeeCup Visual Site Designer , FTPShell , FTPInfo , NexusFile , FastStone Browser , CoolNovo , WinZip , Yandex.Internet , MyFTP , sherrod FTP , NovaFTP , Windows Mail , Windows Live Mail , Becky! , Pocomail , IncrediMail , The Bat! , Outlook , Thunderbird , FastTrack .
Screen from menu management of the FTP grabber :
http://1.bp.blogspot.com/-wr5ASROxdAM/UPMONg0DRnI/AAAAAAAAAZc/2w6EgNEkZks/s320/pony-ftp.jpg
Also captures all kind of e-mails and their passwords, stored certificates and RDP passwords
http://4.bp.blogspot.com/-VQpltCMEr_g/UPMOZhrswtI/AAAAAAAAAZk/6kOx5rIO2wg/s400/pony-other.jpg
Control panel allows capturing all types of passwords for loging web applications on HTTP and HTTPS. It has a very powerful filter to configure Captures, selecting or excluding Internet domains to start capturing data when infected users access in these pages, and selects by text strings, domains , countries , dates, etc.
http://1.bp.blogspot.com/-9WO8ktvqV0w/UPMRPBHRYkI/AAAAAAAAAa8/XxqCU6_PyHU/s400/pony-http.jpg
The statistical panel shows confidential data captured from Web browsing of infected users.
http://1.bp.blogspot.com/-dKUMv5cB-ew/UPMPV8WnhDI/AAAAAAAAAZ4/p_DcOyi1n5I/s400/pony-reports.jpg
compromised Users by the Trojan Pony are ordered by their IP, the information gathered can be selected for each user by selecting the desired IP profile:
http://1.bp.blogspot.com/-oWPobkoCT-g/UPMPSv0VVWI/AAAAAAAAAZw/Zfinbb24M9g/s400/pony-reports2-B.jpg
It is very interesting to see in the statistical panel the variety of data types that can be captured by the Trojan from infected users
http://4.bp.blogspot.com/-JVx1MCOvQKI/UPMSoJsFLbI/AAAAAAAAAbY/jT7EWfEX1C8/s400/pony2.jpg
http://2.bp.blogspot.com/-ifajUK4q-z4/UPMPcpmwWrI/AAAAAAAAAaY/_u6YjWFcWSA/s400/pony-statistics.jpg
All captured data is encrypted and stored in a MySQL database to prevent being stolen if someone gains access to this information:
http://2.bp.blogspot.com/-ze_6F8dK9io/UPMPasZeHVI/AAAAAAAAAaA/e1RbJTrN3Vw/s1600/pony-server-B.jpg
Finally we present part of file structure of the KIT PONY Troyan
http://3.bp.blogspot.com/-6Vfk0j_rDGE/UPMRJ5ekh3I/AAAAAAAAAa0/Upb9ngu1KFg/s400/files-kit.jpg
Also Have been found other malicious addresses containing Pony panels actives at:
hXXp://217.195.200.12:8080/ponyb/admin.php
hXXp://195.5.208.204:8080/ponyb/admin.php
hXXp://9jal33ts.com/ponysample/admin.php
hXXp://198.27.83.179/popo/
hXXp: http://hostohu.net/p0x/admin.php
hXXp://vpro.juplo.com/p/admin.php
DOWNLOAD:
http://dmn.i-vis.ru/Pony 1.9.zip