Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Look What I Found: It's a Pony!

Every once in a while we get to peek into the lion's den,this time we'll be checking out a fairly large instance of the Pony botnetcontroller, containing a large amount ofstolen credentials and other goodies.

Pony, for those of you who have not yet had the pleasure ofencountering it, is a bot controller much like any other: It has a controlpanel, user management, logging features, a database to manage all the dataand, of course, statistics. It alsoseems to be doing these things right, as it appears to be popping up quite abit lately.

This Pony, version 1.9as they tend to be these days, was a particularly diligent one and within a fewdays hundreds of thousands of credentials were stolen from its victims:

Stolen Passwords by Day

Breakdown of StolenCredentials per Browser, E-mail Client, and Domain

You may not think it by looking at these fairly professionalstatistics that wouldn't put a dignified piece of software to shame, but Pony'smain business still remains theft: stolen credentials for websites, emailaccounts, FTP accounts, anything it can get its hands on- grabbed and reportedback home.

It seems only fair, then, that we judge this Pony in numbers, sohere they come…

A total of nearly 650,000 website credential stolen, withthe top sites being:

~90,000 credentials for Facebook accounts

~25,000 credentials for Yahoo accounts

~20,000 credentials for Google accounts

.. And many more with lower individual numbers, but stillamounting to the remaining 515,000 accounts.

Next in numbers were email accounts, with 17,000compromised.

And for the frosting on these credential cake are 7,000stolen FTP credentials.

It's a dangerous world out there; this is a single instanceof a single botnet controller showing some pretty big numbers… Watchyourselves, and keep an eye out for those random pwnies running around.

Customers of Trustwave Secure Web Gateway version 11.0 withthe new Trojan Detection feature are protected against such bot communication.

I would like to thank my colleague, Daniel Chechik, forhis help with the research put into this blog post.