Last month the Pony Botnet became a household name when it was revealed that it had stolen more than two million social networking account passwords. This rather eye-catching headline is a side effect of the data that the botnet actually steals, which includes stored passwords, cache, and cookies from the following applications:
| Chrome | Cyberduck | LeechFTP | |||
| Firefox | Epic | LinasFTP | |||
| Internet Explorer | ExpanDrive | Martin Prikryl | |||
| Opera | FFFTP | NCH Software | |||
| Windows Live Mail | FileZilla | NetSarang | |||
| BatMail | FlashFXP | Nichrome | |||
| BlazeFtp | Fling | NovaFTP | |||
| Bromium | FTP Explorer | Pocomail | |||
| BulletProof FTP | FTPClient | PuTTY | |||
| Chromium | FTPHost | Robo-FTP 3.7 | |||
| ClassicFTP | FTPRush | RockMelt | |||
| Comodo | FTPVoyager | SFTP | |||
| Cryer | Ghisler | Thunderbird | |||
| CuteFTP 6, 7, 8 | Global Downloader | VanDyke | |||
| CuteFTP Lite | K-Meleon | Visicom Media | |||
| CuteFTP Pro | LeapFTP | ||||
McAfee offers detection for Pony Botnet as Backdoor-FJW. This malware did not change much between May and November 2013, aside from the common tricks of malware authors to use custom packers to obfuscate their code from analysis. During a recent analysis of this threat, however, we have discovered a variant of the botnet that has added a small trick to its repertoire.
Once we removed the malware from its obfuscated shell we were able to see two small but important additions to the strings we would normally see in a pony botnet sample.
The preceding image shows the strings “wallet.dat” and “\Bitcoin” have been appended to the list of strings that we commonly see associated with this threat.Bitcoin has been in the news during the past year for its rising popularity, value, and the attention it has attracted from the cybercrime community. However, this is the first malware we have analyzed that seeks wallet.dat for exfiltration from a system. A close look at the functions used to accomplish this reveals that they work in much the same way that the malware has always stolen FTP credentials and server information.Using hardcoded strings and file names, the malware locates specific installed software from the list above in the registry and then extracts data from the data files known to coincide with that software.
The malware operates in similar fashion here:
There are two important takeaways from this analysis. The first is that encrypting your important information (Bitcoin wallet, confidential data, login information, etc.) cannot be overlooked. Simply having an encrypted Bitcoin wallet would render this new module useless for the malware authors. The second is that storing passwords or credentials in browsers or other software that you use to connect to any remote host is a bad idea. The threat landscape is constantly evolving: Even threats that have seemingly run their course pop up again with new tricks to meet their monetary goals.