Two million stolen Facebook, Twitter, Yahoo, ADP passwords found on Pony Botnet server

Two million stolen Facebook, Twitter, Yahoo, ADP passwords found on Pony Botnet server

Summary: Trustwave's SpiderLabs found a Pony Botnet Controller server holding over two million passwords and account credentials for ADP payroll, Facebook, Twitter, Yahoo and more belonging to victims around the world.


Since the source code for the Pony Botnet Controller was leaked, Trustwave's SpiderLabs has been tracking the beast with much fascination.

Interest turned to stunned surprise when the researchers uncovered a Pony Botnet server stabling over two million account credentials and passwords for Facebook, Yahoo, Google, Twitter, Linkedin, Odnoklassniki (the second largest Russian social network site) and more.

botnet pony

Contrary to what some news outlets are reporting, SpiderLabs said that locations of the victims is global (not the Netherlands).

SpiderLabs explained that they could not specify a targeted country because the attacker used a proxy server based in the Netherlands to push the outflow of traffic from an NL address (making it look like there are 1,049,879 victims in the Netherlands).

The researchers wrote in Look What I Found: Moar Pony!,

(...) most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.

This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. 

While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.

The ninth top domain from which passwords were stolen was Automatic Data Processing, Inc. (ADP), which is one of the largest providers of payroll services to most Fortune 500 businesses and at least 620,000 business organizations worldwide.

In Look What I Found: It's a Pony! SpiderLabs SpiderLabs explained,

Pony’s main business still remains theft: stolen credentials for websites, email accounts, FTP accounts, anything it can get its hands on- grabbed and reported back home.

The researchers describe the Pony Botnet Controller as "a particularly diligent" botnet controller, that steals hundreds of thousands of credentials from its victims "within a few days" of infection.

In their initial June 30 Pony Botnet discovery, SpiderLabs found 650,000 stolen website credentials, approximating 90,000 Facebook accounts, 25,000 Yahoo accounts and 20,000 credentials for Google accounts.

SpiderLabs wrote that this week's Pony Botnet Controller discovery was not a hit-and-run, as previously encountered, but instead was a steady and ongoing 'revenue' delivery system.

SpiderLabs tallied:

~1,580,000 website login credentials stolen

~320,000 email account credentials stolen 

~41,000 FTP account credentials stolen

~3,000 Remote Desktop credentials stolen

~3,000 Secure Shell account credentials stolen

PONY Bonet is a very powerful type of spy/keylogger malware with - as you can surmise - some pretty dangerous features. It captures a user's sensitive data from all kinds of applications.

Notably, the trojan recognizes Chrome, Firefox, Opera, Internet Explorer, CyberDuck (and a huge range of FTP applications), Dreamweaver, Windows Mail, Outlook, Rockmelt, and more.

Fun fact: The Pony Botnet Controller's icon is not any of the My Little Pony characters, as some might have assumed - instead it's the Candy Corn Foal from Zynga's Facebook game Farmville.

Topics: Security, Malware, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Passwords, alone, are not enough

    This is just another good case for the need to use multi-factor authentication on everything...
  • It's all about market share.

    After all, how many people use Linux?

    It's exactly the same reason why Apple claims that their OSX and iOS are virus free -- there aren't enough OSX computers with valuable information for it to be worth targeting them, and, well, nothing valuable is ever stored on an iOS machine.
    Jacob VanWagoner
    • let's see

      In all of those projections as what would happen if GNU Linux or FreeBSD were preinstalled on 90% of sold PC's, one seems to never get out of the that bloody "Windows mentality".
      The article is not very clear how the credentials were stolen, yet, this beaten and now impudent argument of "market share" is ridiculous. GNU Linux or any flavor of *BSD do not in principle need any kind of the afterthought protection. They have it in the design of the OS already. The file permissions and secure repositories are main ingredient of it. They also have various MAC systems for extra hardening stuff. MS Windows never had any of that or has it implemented in a very poor or barely practical way.
      Android is a little different animal. Nobody has ever heard of any click-on-link, insert-usb, RPC infection on any Android system. Yet getting a trojan is possible, however, there is a very good and though out protection : the separation of applications (sandboxing) and transparent permissions, plus Google Play filtering. Again, none of that was ever available on MS Windows.
      • You're clueless about this subject.

    • Did I miss something?

      I don't get what you are saying here - or how it relates to the post. Could you illuminate?
    • Lies

      First, Apple no longer claims any virus free systems.
      Second, due to the fact that OSx is now very virus ridden
      Lastly, pray you don't get a virus on OSx, because Apple won't help you. Dell will, go figure...
    • You assumption is ridiculously false.

      Fortune 500 uses Linux that alone is ample incentive Trillions of incentives $824.5 billion in earnings alone in 2011. Its not a simple as you think.
  • Security

    Facebook is doing very much too less in regard to security of the users, and I have my experience with that company. I hacked by criminals and have send several requests for immediate help, because I got blackmailed. There was no reaction or even a reply from "Facebook".
    Facebook is not a serious company and the service they are going to offer is nothing exciting.
    • how did it happen?

      How did you get hacked? I don't care about facebook, but maybe it's your own fault that this has happened? Or you might need to change the operating system to GNU Linux that cares much more about your security than MS Windows does, check out Linux Mint It's free as both in beer and freedom.
      • You cry the cry of the desparate again, eulampius

        "Or you might need to change the operating system to GNU Linux that cares much more about your security than MS Windows does"

        Which is why so many hacked Linux based internet servers are running this botnet (as you said Linux runs the internet), because they care soooooo much about your security. ;)

        Quit flip-flopping.
        • hey, Wilkie

          howdy there. Here you go again. Let me tell you this. Most if not every hacked Linux web server is a result of using Windows in some way, yes, don't connect to our server through ssh out of Windows you can be compromised.
          You ask me for evidence, I'll wait for any trustworthy statistics on compromised websites before coming back to you.
  • Pfft

    Those that assumed that icon was from MLP obviously have never seen the show or merchandise, it looks nothing like it.
    Alucai Vivorvel
  • But How

    My question how such Pony botnet get on ones system in the first palace?
    • My question exactly...

      That's exactly what my question was going to be.
    • it hops,

      possibly with all four of its tiny hooves. ;)
    • you make a blue like

      click on an attachment in an eMail, or download something from an infected website.
  • Do "password vault's" provide true protection against key loggers?

    The article says Pony has sophisticated key logging. So, I'm wondering about the various commercial and freeware password vaults and whether they provide true protection.
    • There is no such thing as true protection

      Like a common house key or padlock key, the password to a password vault could be stolen via a keylogger or other basic means - thus giving access to all the accounts and passwords within.

      Convenience vs Security!
  • Anybody post the list of accounts?

    SpiderLabs has not yet posted the list of accounts that have been compromised. (AFAIK)

    I hope someone puts it out so those people can find out and get things buttoned up.

    Hopefully Violet or someone else at ZDNet will update if the list gets published.
  • Would love to search that database to see if any of my passwords are listed

    Like JJMach, I'd like to see if any of my passwords are in the list.