Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Look What I Found: It's a Pony!

Every once in a while we get to peek into the lion's den, this time we'll be checking out a fairly large instance of the Pony botnet controller, containing a large amount of stolen credentials and other goodies.

Pony, for those of you who have not yet had the pleasure of encountering it, is a bot controller much like any other: It has a control panel, user management, logging features, a database to manage all the data and, of course, statistics. It also seems to be doing these things right, as it appears to be popping up quite a bit lately.

This Pony, version 1.9as they tend to be these days, was a particularly diligent one and within a few days hundreds of thousands of credentials were stolen from its victims:

Stolen Passwords by Day

Breakdown of StolenCredentials per Browser, E-mail Client, and Domain

You may not think it by looking at these fairly professional statistics that wouldn't put a dignified piece of software to shame, but Pony's main business still remains theft: stolen credentials for websites, email accounts, FTP accounts, anything it can get its hands on- grabbed and reported back home.

It seems only fair, then, that we judge this Pony in numbers, so here they come…

A total of nearly 650,000 website credential stolen, with the top sites being:

~90,000 credentials for Facebook accounts

~25,000 credentials for Yahoo accounts

~20,000 credentials for Google accounts

.. And many more with lower individual numbers, but still amounting to the remaining 515,000 accounts.

Next in numbers were email accounts, with 17,000 compromised.

And for the frosting on these credential cake are 7,000 stolen FTP credentials.

It's a dangerous world out there; this is a single instance of a single botnet controller showing some pretty big numbers… Watch yourselves, and keep an eye out for those random ponies running around.

Customers of Trustwave Secure Web Gateway version 11.0 with the new Trojan Detection feature are protected against such bot communication.

I would like to thank my colleague, Daniel Chechik, for his help with the research put into this blog post.