In our last episode of "Look What I Found" we talked about a fairly large instance of the Pony Botnet Controller. With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9. One of the latest instances we've run into is larger than the last with stolen credentials for approximatelytwo million compromised accounts.
With so much data in our hands, we thought it would be interesting to look into some statistics regarding this particular attack.
We'll start off with the final numbers, and then break it down:
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen
Below are some statistics brought to us directly from the control panel:
Stolen Passwords by Day
In comparison to the last instance of Pony that we talked about, with statistics that looked like a hit-and-run operation, this one spiked at the beginning but was otherwise fairly stable and consistent in its daily "revenue".
Looking at the domains from which passwords were stolen:
As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.
You can also spot the notable presence of vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, which probably indicates that a decent portion of the victims comprised were Russian speakers. Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.
A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.
Looking at the very bottom of image, we can see that there are 92 more countries that are not shown on the list above, indicating that the attack is fairly global and that at least some of the victims are scattered all over the world.
Since we couldn't think of anything to do with two million credentials for popular websites, social media, and email accounts; we decided to make some use of the quantity to look into users' password selection habits.
Unfortunately, the most commonly used passwords were far from what your CISO would like to see, here's a small taste:
And it all goes downhill from there. We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords, and here's what we found:
The X axis above describes the different types of characters: uppercase letters, lowercase letters, numbers and special characters. One Type means that only one type of character was used (e.g. "1234"), 2 Types refers to a password with two different types of characters (e.g. "abc123") and so on.
We also divided all the passwords into groups by password lengths.
Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are:
In our analysis, passwords that use all four character types and are longer than 8 characters are considered "Excellent", whereas passwords with four or less characters of only one type are considered "Terrible". Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.
Party like it's 2006
How does this data compare to a similar analysis from, say…seven years ago?
We decided to draw a quick comparison of the results to an analysis performed on leaked myspace accounts in 2006.
Back in 2006 the top ten most common passwords comprised only 0.9% of the total count. Today, in 2013, they add up to 2.4%. This could be a result of myspace having a minimum complexity policy, while in our data we have various domains with differing password complexity requirements. If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security. If you don't enforce a password policy, don't expect your users to do it for you.
We also compared the length of passwords in this recent compromise to the myspace leak. In 2006 about 1.9% of passwords were just five characters or smaller. Today this number tripled itself to 6.6%, but the majority of passwords were, and still remain, within the six-to-nine-character range.
But not all hope is lost, it seems that more people are willing to go the extra mile and set a long password (if not a complex one – see image below). Back in 2006 only 17% had a password of 10 characters or longer. In 2013 we see an impressive ascent to 46%!
Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)
That's the end of today's episode of the "Look What I Found" series. Hopefully these ponies will stop popping up so much. And remember kids, some ponies turn out to be evil Trojan horses.
This blog post was co-authored by Daniel Chechik and Anat (Fox) Davidi.
We would like to thank Garret Picchioni for his help with the password analysis work.
Information discussed in this blog post was also disclosed to relevant parties.
***UPDATE 12/06/2013 11:20 a.m. CST
We're getting a number of requests regarding the data set. At this time Trustwave has not released nor will it release a complete set of the discovered data. Stay tuned for a post later today that will discuss what we will release and to whom. Any claim that any related information has been posted on Pastebin is false.