Ponmocup Botnet Still Actively Used for Financial Gain

Fox-IT, the security firm recently acquired by NCC Group for $142 million, has published a report on Ponmocup, a sophisticated botnet that has been used over the past years by cybercriminals for financial gain.

The malware powering the botnet has been around since 2006 and it’s known under various names, including Ponmocup, Vundo, Virtumonde, Milicenso and Swisyn. The malware has been used for ad fraud, data theft and downloading additional threats to infected systems.

Fox-IT believes the threat has infected more than 15 million unique devices since 2009 and experts estimate that the number of active infections is currently at 500,000. In May 2011, Abuse.ch reported sinkholing Ponmocup and observing 1.2 million unique infections within 24 hours. The number of infections peaked the next month at 2.4 million.

Ponmocup is currently one of the largest and longest-running botnets, but it hasn’t been in the news lately because its operators do their best to keep it under the radar. The malware made a lot of headlines in 2012 when it caused printers connected to infected machines to print garbled data.

The threat uses encryption and stores its components in different locations in an effort to evade detection by traditional security products. It also relies on different domains for installation, which prevents security teams from using the domains as indicators of compromise (IoC). Ponmocup can also steal FTP and Facebook credentials, which might be used by the attackers to further spread the malware and increase the size of the botnet.

Cybercriminals have also invested a lot of time and effort into setting up the infrastructure used to control the Ponmocup botnet. Different servers are used for each of the components and communications between the malware and the backend servers go through several proxy layers, which makes it difficult to disrupt the entire botnet.

“Based on the size of the command and control infrastructure, it is thought that the infrastructure is maintained, monitored and protected by a well-organized group of operators. This is amongst others based on the domains in use, number of proxies in use, estimated number of back-end systems, used delivery methods and limited affiliate schemes,” Fox-IT said in its report. “It was also observed that in certain cases, the operators reacted quickly to events which could impact the botnet’s infrastructure, suggesting that the operators closely monitor their back-end infrastructure.”

The security firm believes Ponmocup operators are most likely Russian, or at least Russian speakers. This is based on the fact that the malware was initially designed to avoid infecting devices in Russia, Ukraine and Belarus, and the instructions sent by the operators to partners and affiliates are written in Russian.

Experts say it’s difficult to determine how much money cybercriminals made with the Ponmocup botnet, but they estimate that it’s a multi-million dollar business considering the level of sophistication of the malware and infrastructure.