Uncovering ‘PONY malware’

The malware has been hitting the news lately by stealing 2 Million Accounts passwords from Facebook, Twitter, Google, ADP. “The Pony malware is used to steal information: stolen credentials for websites, email accounts, FTP accounts, [and] anything it can get its hands on. In this case, attackers planted the malware on users’ machines around the world and were able to steal credentials for websites such as Facebook, Twitter, Yahoo, and even the payroll provider ADP,” says John Miller, security research manager at Trustwave. (trustwave.com, 2013).The malware has been around since beginning of this year – Jan 2013 (laboratoriomalware.blogspot.com, 2013).

PONY operates rates as a botnet controller. A Bot-net is a collection of interconnected computers (zombies) communicating with other infected computers in order to perform malicious attacks and controlled remotely.

How your computer gets infected.

Zombies / infected computers are brought on board into a botnet when they execute malicious software (payload). The payload is delivered by luring users into making;

a) Drive-by download

b) Exploiting web browser vulnerabilities

c) Tricking the user into running a Trojan horse program, this may come from an email attachment.

The malware will typically install components that allow the computer to be commanded and controlled by the controller. Depending on how it was coded, a Trojan may then delete itself, or may remain present to update and maintain the modules.

How PONY Works

Pony is a bot controller with a control panel, user management, logging features, a database to manage all the data and, of course, statistics. “The Pony Control panel is identified by the logo of this animal that appears in the famous Facebook game “Farmville””, (laboratoriomalware.blogspot.com, 2013).

Courtesy of aboratoriomalware.blogspot.com, 2013

When the Malware is delivered it starts sending usernames and passwords to PONY control center. This is by using two methods;

  • Scanning through stored passwords in a user’s browsers, email clients and other software;
  • Monitoring web traffic to identify when a user is logging into a website and then attempts to steal the password.


What Pony Captures

Pony Trojan is configured to capture all kinds of confidential information and access passwords for the following applications:

“Passwords for FTP and SSH servers. The Trojan is able to recognize almost all FTP & SSH applications both commercial and opensource and extract its credentials:

System Info , FAR Manager , Total Commander , WS_FTP , CuteFTP , FlashFXP , FileZilla , FTP commander , BulletProof FTP , SmartFTP , TurboFTP , FFFTP , CoffeeCup FTP / Sitemapper , CoreFTP , FTP Explorer , Frigate3 FTP , SecureFX , UltraFXP , FTPRush , WebSitePublisher , BitKinex , ExpanDrive , ClassicFTP , Fling , SoftX , Directory Opus , FreeFTP / DirectFTP , LeapFTP , WinSCP , 32bit FTP , NetDrive , WebDrive , FTP Control , Opera , WiseFTP , FTP Voyager , Firefox , FireFTP , SeaMonkey , Flock , Mozilla , LeechFTP , Odin Secure FTP Expert , WinFTP , FTP Surfer , FTPGetter , ALFTP , Internet Explorer , Dreamweaver , DeluxeFTP , Google Chrome , Chromium / SRWare Iron , ChromePlus , Bromium (Yandex Chrome) , Nichrome , Comodo Dragon , RockMelt , K-Meleon , Epic , Staff-FTP , AceFTP , Global Downloader , FreshFTP , BlazeFTP , NETFile , GoFTP , 3D-FTP , Easy FTP , Xftp , FTP Now , Robo-FTP , LinasFTP , Cyberduck , Putty , Notepad++ , CoffeeCup Visual Site Designer , FTPShell , FTPInfo , NexusFile , FastStone Browser , CoolNovo , WinZip , Yandex.Internet , MyFTP , sherrod FTP , NovaFTP , Windows Mail , Windows Live Mail , Becky! , Pocomail , IncrediMail , The Bat! , Outlook , Thunderbird , FastTrack .” (laboratoriomalware.blogspot.com, 2013).

Hoe to Detect PONY

Most of the virus signatures have been updated to detect the malware. More emphasis now is to stop spreading of the malware by applying below mitigation techniques.


Mitigation Strategy

Below are strategies you can implement to deter PONY from your network, as I always say this is not the cure, you are never secure when using technology.

1. Ensure computer OS are patched and up to date;

2. Don’t open unknown email attachments; Ensure that all attachments are scanned if you did not expect any email attachments, don’t open);

3. Use complex unique passwords consisting of capital letters, numeric, special characters and symbols. Example don’t use 654321 or pass123 as password, use pass phrases easy to remember like “myD0g1sL0ud”;

4. Don’t click or click URL from pop ups and email;

5. Install reputable antivirus solution and ensure it is updated frequently;

6. Train and evangelize on information security (PONY);

7. Don’t use one password to access organizational and internet accounts, instead, Use different passwords for each account.


a) Trustwave 2013, Pony Malware Payload. Retrieved 11th December, 2013, from https://www.trustwave.com/trustednews/2013/12/two_million_stolen_passwords_how_to_protect_yourself#sthash.piH6ZGoZ.dpuf

b) LABORATORIO MALWARE 2013,BOTNET PONY 1.9 Malware. Retrieved 11th December, 2013, from http://laboratoriomalware.blogspot.com/2013/01/botnet-pony-19-malware.html

c) Fox News 2013, How to protect yourself: 2 million Facebook, Google accounts compromised. Retrieved 11th December, 2013, from http://www.foxnews.com/tech/2013/12/05/passwords-guidelines-for-protecting-internet/


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s