Ponmocup analysis
Jump to navigation
Jump to search
(Publication) Google search: [1]
| Ponmocup analysis | |
|---|---|
| Botnet | Ponmocup |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | |
| Link | http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis 2012-02-18.html (Archive copy) |
| Author | Tom U |
| Type | |
Abstract
“ Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)
Why aren't AV companies connecting the dots?
Using one common indicator, the existence or creation of a registry key, namely HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 and/or HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 I've been finding malware analysis reports from different AV's and online malware analysis sites.
Another indicator is the existence of a pseudo-random registry key under HKLM\SOFTWARE\[pseudo-random-key] which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar).
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1057,
editor = {},
author = {Tom U},
title = {Ponmocup analysis},
date = {09},
month = May,
year = {2012},
howpublished = {\url{http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html}},
}