Categories: Breaking NewsCyber CrimeMalware

Ponmocup, never underestimate a botnet that infected 15 million PCs

Ponmocup is one of the oldest botnet that infected more than 15 million machines across the years, but many experts still ignore it.

Ponmocup is one of the largest and oldest botnets in circulation, but many security experts still ignore it. According to the experts at Fox IT, the botnet is underestimated and infected across the years more than 15 million computers, allowing crooks to steal millions from victims’ bank accounts.

Fox IT recently published a report entitled “Ponmocup: A giant hiding in the shadows,” a document including the findings of an investigation that allowed the research to discover that the Ponmocup botnet controlled 2.4 million infections.

Lead author Maarten van Dantzig presented the findings of the study at the BotConf conference this week.

“Compared to other botnets, Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running [but it] is rarely noticed as the operators take care to keep it operating under the radar,” van Dantzig says. “Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system.”

The malware first detected in 2006, meanwhile the experts observed a peak in 2011 and now the botnet is composed of half a million machines worldwide.

Researchers believe that its authors are likely Russians that used the Ponmocup mainly as a data stealer.

“The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.” states the paper.

Although it is very difficult to estimate the exact amount of money stolen by the operators of the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now.

The botnet used a very complex infrastructure that relies on servers for dedicated tasks, over the time the authors have continuously updated it to improve robustness and avoidance abilities. The Ponmocup implements anti-analysis techniques such as heuristic checks for network and host-based analysis tools, debuggers and virtualised environments.

The researcher discovered some 25 unique plug-ins and nearly 4000 strains of the same malware, a circumstance that confirms the continuous development.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – Ponmocup botnet, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.