Look What I Found: Pony is After Your Coins!

In our previous episode of "Look What I Found" we detailed our discovery of a humongous instance of a Pony botnet controller that stole credentials for approximately two million websites, social networks, e-mails and other types of accounts.

We recently discovered yet another instance of a Pony botnet controller. Not only did this Pony botnet steal credentials for approximately 700,000 accounts, it's also more advanced and collected approximately $220,000 (all values in this post will be in U.S. dollars) worth, at time of writing, of virtual currencies such as BitCoin (BTC), LiteCoin (LTC), FeatherCoin (FTC) and 27 others.

According to our data, the cyber gang that was operating this Pony botnet was active between September 2013 and mid-January 2014. In this ~4 month period, the botnet managed to steal over 700,000 credentials, distributed as follows:

~600,000 website login credentials stolen

~100,000 email account credentials stolen

~16,000 FTP account credentials stolen

~900 Secure Shell account credentials stolen

~800 Remote Desktop credentials stolen

We'll get back to these numbers later on in this post. To start, we want to focus on the Pony upgrade and virtual currencies.

Virtual Coins: BTC, LTC, FTC, etc.

BitCoin, for those of you who have been living under a rock, is a digital currency. We won't dwell on what it is or how it works. For more information about the idea of BitCoin and its implementation, read the original 8-page whitepaper.

For the purposes of this blog post, the one thing you need to know is that BitCoins are stored in virtual wallets, which are essentially pairs of private and public keys. Whoever holds the private key to a wallet is the owner of that wallet and no name, ID or history is associated with the wallet. Again, possession of the private key indicates ownership. This holds true for all the other digital currencies that grew from BTC and now live alongside it—the most popular alternative right now being LiteCoin.

BTC started out as an underground currency. At the beginning of 2013, the value of 1 BTC was less than $30. As more services began accepting BitCoin as a payment method, the value of the BitCoin increased. The value of a BitCoin fluctuates. As of February 24; a BitCoin is valued at approximately $600. Unfortunately, even though some people may have had more money in their virtual wallet than they did in their bank account, very few had the understanding of how to properly secure their wallets. With that in mind, cybercriminals began developing ways to steal BitCoins, each within their own field of expertise.

The most obvious choice for an attacker is to go after websites that offer various trading services. Many of these websites store virtual wallets for their users. A number of attacks on trading websites have popped-up over time. One of the most famous attacks on a trading website was the Sheep Marketplace scam because of the large amount of BTC stolen. We've also seen less popular virtual currencies being targeted. Last month we wrote about a LiteCoin heist in the amount of $230,000.

But other players in the field of cybercrime have their own methods, and for Pony—a Trojan built with the sole purpose of getting its hands on private data from infected machines—it was only natural to start going after people's virtual wallets.

The motivation for stealing wallets is obviously high- they contain money. But there are some less obvious reasons making virtual wallets a more desirable target than their real-world equivalent:

  1. One of the core principles of this virtual currency, completely intended and emphasized by its creator, is irreversible transactions. By their very design transactions that have been made cannot be undone. Even if someone sees money being transferred from their own wallet to another (i.e., being stolen from them), there is nobody to call. No authority can reverse the transaction or freeze your account.

    However, the trade information in the BitCoin network is open and accessible to everyone. No transaction or new wallet added to the network is ever erased. This means that if a transaction is not logged and it's not there for everyone to see, the transaction never occurred. This is another core principle of BitCoin and cannot be changed. Websites like blockchain.info allow users to examine any wallet and its entire history, but the identity of the wallet's owner cannot be determined.

    Stealing BitCoins and exchanging them for another currency, even a regulated one such as U.S. dollars, is much easier than stealing money from a bank. Stealing money from bank accounts these days has become increasingly frustrating for cybercriminals. First, a cybercriminal must overcome multiple security controls, which takes time. Later, in order to maintain their distance from the crime and hide their identity, they need to hire someone else (referred to as a money mule) to transfer the stolen money to their account. Transferring money in this way becomes time-consuming and involves numerous parties (as we described in our discovery of the Zeus Trojan banker). Each additional party adds additional risk that the criminal might be found out.

    Stealing BitCoins is much simpler than that. The criminal only needs to send the coins to an account on one of the trading websites, exchange the coins for USD or any other currency they desire and then transfer it to their bank account. Processing the virtual currency through the trading website preserves the attacker's anonymity: Exchanging the virtual coin for another currency on a trading website will simply show up in the block chain as a transfer to another (completely legitimate) account of the person who bought the virtual coins (or a wallet belonging to the trading site itself), and from there on there is nothing to track in the block chain. Meanwhile, the other part of the trade is done by the trading website behind the scenes- the newly purchased currency shows up as balance in your account on the trading site. Just like any user, the cybercriminal can then choose how to withdraw the money, but the connection to the original stolen coins has already been lost and any withdrawal they make will be of money from the trading site's account to their own. These transactions happen legitimately all the time and cannot be distinguished from any other user of the site withdrawing money from it. Moreover, websites specializing in similar mixing of coins now sell this money laundering as a service.

  2. Once an attacker manages to obtain the "wallet.dat" file (a file containing the private key of that wallet), he becomes as much the owner of the virtual wallet as the person who created it. Even if the person who created the wallet finds the person who took it, there is no way to really prove which one of them is the true owner. The owner can encrypt the wallet with a password that they must then enter in order to use their wallet, this helps protect their private key. If the wallet.dat file is encrypted this way, a thief still cannot obtain the private key from within it, but…

  3. Sadly, it seems that most users do not encrypt their wallets with a password.

This instance of Pony compromised 85 wallets, a fairly low number compared to the number of compromised credentials. Despite the small number of wallets compromised, this is one of the larger caches of BitCoin wallets stolen from end-users. It is likely that this low number simply reflects the percentage of people actually using BitCoins and storing their wallets on their local machine, which explains why this number seems to grow as BitCoins become more popular.

In the compromised wallets associated with this particular instance of Pony, and during the time since they became compromised, we found evidence of the following amounts of currencies valued at approximately $220,000 (as of February 24) being transferred into and out of the wallets:

~ 355 BitCoins

~ 280 LiteCoins

~ 33 PrimeCoins

~ 46 FeatherCoins

For all the reasons described above we don't really know what happened to these coins. We cannot call them stolen any more than we can confirm that the transfers were legitimate transactions.

Since there is no way to contact the owners of the compromised wallets, we have created a page where you can enter the public key of your wallet to see if it is on the list of compromised accounts, this page can be found here (please, DO NOT enter any private keys!).

If you're wondering which of your wallets you might need to check on or how diligent Pony is in collecting wallets, here is a list of virtual currencies that it looks for other than BitCoin itself:































This instance of Pony also searched for the two wallet apps Electrum and MultiBit.

700,000 Stolen Credentials

If you're still reading this now that you've made sure that your wallet wasn't stolen, you must be interested in the ~700,000 stolen credentials we mentioned at the beginning of the blog, so here are the statistics you've been waiting for:

Botnet Statistics

Here, from the control panel of this attack, we see the amount of data stolen during one the last 24 hours of the attack:

Stolen passwords from Pony Command and Control
Stolen passwords from Pony Command and Control (last 24 hours)

As you can see, the influx of credentials came to a sudden halt at 3 a.m. It seems that after approximately four months the cybercriminals decided to stop the attack, closed shop and walked away.

The chart below presents the stolen data collected within the last month of the attack. Attackers often use campaigns, such as spam campaigns, in order to bring an influx of new bots into the botnet. The sudden increases in traffic seen in this chart likely coincide with different campaigns run by the cybercriminals to infect machines and gather more credentials:

Stolen passwords from Pony Command and Control (last monthj)
Stolen passwords from Pony Command and Control (last monthj)


In the previous instance of Pony we discovered, we couldn't identify the geo-location of the infected machines because they had a proxy that was used as the drop-zone target for the bots. This time the bots interacted directly with the command-and-control server, which provided us with a little more insight into the geographical distribution of the victims:

Stolen passwords geo location destribution
Stolen passwords geo location destribution

It seems, considering the data above, that Europe was the main focus of this attack. This makes sense when looking at the most popular websites for which credentials were stolen. You can see quite a few European websites in that list below:

Stolen passwords by domains
Stolen passwords by domains

If you'd like to check your credentials, we've created a web tool that will allow you to enter your e-mail address to see whether it was included in the data cache. The tool will only send an e-mail to the address you input in order to protect the privacy of any victims. You can find the tool here.

That's it for today's episode. Keep your wallets safe!

This blog post was co-authored by Daniel Chechik and Anat (Fox) Davidi.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.