Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Look What I Found: Moar Pony!

In our last episode of "Look What I Found" we talked about a fairly large instance of the Pony Botnet Controller. With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9. One of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts.

With so much data in our hands, we thought it would be interesting to look into some statistics regarding this particular attack.

We'll start off with the final numbers, and then break it down:

~1,580,000 website login credentials stolen

~320,000 email account credentials stolen

~41,000 FTP account credentials stolen

~3,000 Remote Desktop credentials stolen

~3,000 Secure Shell account credentials stolen

General Information

Below are some statistics brought to us directly from the control panel:

BSL_12428_e98f3fce-34ed-4b25-b4b4-dc76ec86a880
Stolen Passwords by Day

In comparison to the last instance of Pony that we talked about, with statistics that looked like a hit-and-run operation, this one spiked at the beginning but was otherwise fairly stable and consistent in its daily "revenue".

Looking at the domains from which passwords were stolen:

BSL_8446_296c1218-1969-401b-b1d2-98861e2145db

As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.

You can also spot the notable presence of vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, which probably indicates that a decent portion of the victims comprised were Russian speakers. Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.

Geo-Location Statistics

8829_3c362df4-7d95-4006-8467-80ac69be34ee

A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.

Looking at the very bottom of image, we can see that there are 92 more countries that are not shown on the list above, indicating that the attack is fairly global and that at least some of the victims are scattered all over the world.

~2,000,000 Passwords

Since we couldn't think of anything to do with two million credentials for popular websites, social media, and email accounts; we decided to make some use of the quantity to look into users' password selection habits.

Unfortunately, the most commonly used passwords were far from what your CISO would like to see, here's a small taste:

BSL_12585_f00e35d5-50f2-4678-91e5-932d63b35628

And it all goes downhill from there. We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords, and here's what we found:

BSL_8620_32588bc8-4116-4e1c-a392-24561a071010

The X axis above describes the different types of characters: uppercase letters, lowercase letters, numbers and special characters. One Type means that only one type of character was used (e.g. "1234"), 2 Types refers to a password with two different types of characters (e.g. "abc123") and so on.

We also divided all the passwords into groups by password lengths.

Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are:

10082_7a4a9422-a6cc-4fab-9daa-b96e1e25dff1

In our analysis, passwords that use all four character types and are longer than 8 characters are considered "Excellent", whereas passwords with four or less characters of only one type are considered "Terrible". Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.

Party like it's 2006

How does this data compare to a similar analysis from, say…seven years ago?

We decided to draw a quick comparison of the results to an analysis performed on leaked myspace accounts in 2006.

Back in 2006 the top ten most common passwords comprised only 0.9% of the total count. Today, in 2013, they add up to 2.4%. This could be a result of myspace having a minimum complexity policy, while in our data we have various domains with differing password complexity requirements. If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security. If you don't enforce a password policy, don't expect your users to do it for you.

We also compared the length of passwords in this recent compromise to the myspace leak. In 2006 about 1.9% of passwords were just five characters or smaller. Today this number tripled itself to 6.6%, but the majority of passwords were, and still remain, within the six-to-nine-character range.

But not all hope is lost, it seems that more people are willing to go the extra mile and set a long password (if not a complex one – see image below). Back in 2006 only 17% had a password of 10 characters or longer. In 2013 we see an impressive ascent to 46%!

BSL_12223_e031b4d7-1407-4abf-a02f-bf4a1735fed5

Image courtesy of xkcd.com (http://imgs.xkcd.com/comics/password_strength.png)

That's the end of today's episode of the "Look What I Found" series. Hopefully these ponies will stop popping up so much. And remember kids, some ponies turn out to be evil Trojan horses.

This blog post was co-authored by Daniel Chechik and Anat (Fox) Davidi.

We would like to thank Garret Picchioni for his help with the password analysis work.

Information discussed in this blog post was also disclosed to relevant parties.

***UPDATE 12/06/2013 11:20 a.m. CST

We're getting a number of requests regarding the data set. At this time Trustwave has not released nor will it release a complete set of the discovered data. Stay tuned for a post later today that will discuss what we will release and to whom. Any claim that any related information has been posted on Pastebin is false.

***

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More