Difference between revisions of "Ponmocup analysis"
Jump to navigation
Jump to search
m (1 revision imported) |
|||
| Line 1: | Line 1: | ||
{{Publication | {{Publication | ||
| | |Botnet=Ponmocup, | ||
| | |Malware=, | ||
| | |CCProtocol=, | ||
| | |Operation=, | ||
|Year=2012 | |Year=2012 | ||
| | |Link=http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html | ||
| | |Author=Tom U, | ||
|Abstract=Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.) | |Abstract=Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.) | ||
Why aren't AV companies connecting the dots? | Why aren't AV companies connecting the dots? | ||
| Line 25: | Line 19: | ||
HKLM\SOFTWARE\[pseudo-random-key] | HKLM\SOFTWARE\[pseudo-random-key] | ||
which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar). | which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar). | ||
| | |Document= | ||
| | |Licence= | ||
| | |Video= | ||
| | |NomRevue= | ||
|Keyword=, | |ISBN= | ||
|Page= | |||
|Keyword=, | |||
}} | }} | ||
Latest revision as of 21:07, 31 July 2015
(Publication) Google search: [1]
| Ponmocup analysis | |
|---|---|
| Botnet | Ponmocup |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | |
| Link | http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis 2012-02-18.html (Archive copy) |
| Author | Tom U |
| Type | |
Abstract
“ Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)
Why aren't AV companies connecting the dots?
Using one common indicator, the existence or creation of a registry key, namely HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 and/or HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 I've been finding malware analysis reports from different AV's and online malware analysis sites.
Another indicator is the existence of a pseudo-random registry key under HKLM\SOFTWARE\[pseudo-random-key] which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar).
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1057,
editor = {},
author = {Tom U},
title = {Ponmocup analysis},
date = {01},
month = May,
year = {2012},
howpublished = {\url{http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html}},
}