Since the source code for the Pony Botnet Controller was leaked, Trustwave's SpiderLabs has been tracking the beast with much fascination.
Interest turned to stunned surprise when the researchers uncovered a Pony Botnet server stabling over two million account credentials and passwords for Facebook, Yahoo, Google, Twitter, Linkedin, Odnoklassniki (the second largest Russian social network site) and more.
Contrary to what some news outlets are reporting, SpiderLabs said that locations of the victims is global (not the Netherlands).
SpiderLabs explained that they could not specify a targeted country because the attacker used a proxy server based in the Netherlands to push the outflow of traffic from an NL address (making it look like there are 1,049,879 victims in the Netherlands).
The researchers wrote in Look What I Found: Moar Pony!,
(...) most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.
This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down.
While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.
The ninth top domain from which passwords were stolen was Automatic Data Processing, Inc. (ADP), which is one of the largest providers of payroll services to most Fortune 500 businesses and at least 620,000 business organizations worldwide.
In Look What I Found: It's a Pony! SpiderLabs SpiderLabs explained,
Pony’s main business still remains theft: stolen credentials for websites, email accounts, FTP accounts, anything it can get its hands on- grabbed and reported back home.
The researchers describe the Pony Botnet Controller as "a particularly diligent" botnet controller, that steals hundreds of thousands of credentials from its victims "within a few days" of infection.
In their initial June 30 Pony Botnet discovery, SpiderLabs found 650,000 stolen website credentials, approximating 90,000 Facebook accounts, 25,000 Yahoo accounts and 20,000 credentials for Google accounts.
SpiderLabs wrote that this week's Pony Botnet Controller discovery was not a hit-and-run, as previously encountered, but instead was a steady and ongoing 'revenue' delivery system.
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen
PONY Bonet is a very powerful type of spy/keylogger malware with - as you can surmise - some pretty dangerous features. It captures a user's sensitive data from all kinds of applications.
Notably, the trojan recognizes Chrome, Firefox, Opera, Internet Explorer, CyberDuck (and a huge range of FTP applications), Dreamweaver, Windows Mail, Outlook, Rockmelt, and more.
Fun fact: The Pony Botnet Controller's icon is not any of the My Little Pony characters, as some might have assumed - instead it's the Candy Corn Foal from Zynga's Facebook game Farmville.