Not just a one-trick PonyDOS
(Publication) Google search: [1]
| Not just a one-trick PonyDOS | |
|---|---|
| |
| Botnet | |
| Malware | PonyDOS |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | Arbor SERT |
| Link | http://ddos.arbornetworks.com/uploads/2012/03/PonyDOS.pdf arbornetworks.com (pdf) (arbornetworks.com (pdf) Archive copy) |
| Author | Jeff Edwards |
| Type | |
Abstract
“ This article is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS
malware families. In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS. This malware family started showing up on our radar screens late in 2011. Based on a static analysis of the malware, it seems that PonyDOS bot is yet another example of a bot that is exclusively focused on launching DDoS attacks against victim websites. It uses a relatively complicated encryption mechanism to secure its communications, which we will unravel in this article. As we will describe below, PonyDOS has quite a few tricks up its sleeve that are designed to make its comms resistant to casual attempts at breaking. PonyDOS gets its named from the string PNYDOS00 that is embedded within the bot binaries; as we will soon see, the bot includes this identifying string in the "phone home" messages it sends to its command & control (C&C) server. In addition, some of the samples also like to install themselves into sub-directories named pny within the infected user's Application Data directory (for example, as the file C:\Documents and Settings\$USERNAME\Application Data\pny\pnd.exe.) Reversing the PonyDOS Cryptosystem The PonyDOS sample upon which we will focus in this article is lean and mean: only 21,504 bytes in size, with an MD5 hash of 5868d32c272300f31da4ddc04e701587. It currently has a VirusTotal detection rate of zero. PonyDOS is written in straight C, so the disassembly is very easy to follow. This is a refreshing change from the layer upon layer of Delphi-generated instructions through which we often must wade when reversing modern DDoS bots.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR925,
editor = {Arbor SERT},
author = {Jeff Edwards},
title = {Not just a one-trick PonyDOS},
date = {27},
month = Apr,
year = {2012},
howpublished = {\url{http://ddos.arbornetworks.com/uploads/2012/03/PonyDOS.pdf arbornetworks.com (pdf)}},
}