Ponmocup, never underestimate a botnet that infected 15 million PCs

Share this…

Ponmocup is one of the oldest botnet that infected more than 15 million machines across the years, but many experts still ignore it.

Ponmocup is one of the largest and oldest botnets in circulation, but many security experts still ignore it. According to the experts at Fox IT, the botnet is underestimated and infected across the years more than 15 million computers, allowing crooks to steal millions from victims’ bank accounts.

Fox IT recently published a report entitled “Ponmocup: A giant hiding in the shadows,” a document including the findings of an investigation that allowed the research to discover that the Ponmocup botnet controlled 2.4 million infections.

Lead author Maarten van Dantzig presented the findings of the study at the BotConf conference this week.

“Compared to other botnets, Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running [but it] is rarely noticed as the operators take care to keep it operating under the radar,” van Dantzig says. “Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system.”

The malware first detected in 2006, meanwhile the experts observed a peak in 2011 and now the botnet is composed of half a million machines worldwide.

Researchers believe that its authors are likely Russians that used the Ponmocup mainly as a data stealer.

Ponmocup botnet

“The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.” states the paper.

Although it is very difficult to estimate the exact amount of money stolen by the operators of the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now.

The botnet used a very complex infrastructure that relies on servers for dedicated tasks, over the time the authors have continuously updated it to improve robustness and avoidance abilities. The Ponmocup implements anti-analysis techniques such as heuristic checks for network and host-based analysis tools, debuggers and virtualised environments.

The researcher discovered some 25 unique plug-ins and nearly 4000 strains of the same malware, a circumstance that confirms the continuous development.