Wednesday, June 12, 2013

A brief analysis of Pony/PWS (Zeus variant)

Hello again! This time around I wanted to do a brief analysis on the Pony/PWS malware. (Note: Originally I had indicated that this was a variant of Trojan.Fareit. @MalwareMustDie noted that my analysis was incorrect and I have update the post title accordingly. This is a variant of Zeus.) When I have some more time I'll probably revisit this malware and do something more in-depth, but for now I wanted to provide some basic info on it.

The sample that I'm working with is very widely detected on VT, seen here: https://www.virustotal.com/en/file/ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3/analysis/1371039514/ - 42/47 detection rate. Too bad all malware doesn't have this kind of detection rate, eh? Anyway... onward!

The particular Pony sample I'm working with has also been recognized as the SecureMail trojan and Trojan.Fareit. This malware is extremely common and is designed to steal credentials from the user. I don't have much on initial infection vector at this time, but I've seen a variety of URL patterns so this isn't necessarily that easy to nail down.

The malicious exe itself attempts to disguise itself as a PDF by using a PDF icon. Note that the .exe extension is still present, seen here:



Here's some basic information about the file:
   * File name: c:\users\admin\desktop\bsa analysis\securemail.exe
   * File length: 137728 bytes
   * File signature (PEiD): UPolyX v0.5 *
   * File signature (Exeinfo): *** Unknown EXE   Std Compiler section , maybe new MS C++ compiler
   * File type: EXE
   * TLS hooks: NO
   * File entropy: 7.15001 (89.3752%)
   * ssdeep signature: 3072:FtFcsE3Pa5AMcBzPEWY9ZTiJcMUd/iFH:F0sE3ede0ZTi/
   * MD5 hash: 6870fd8fd2b2bedd83e218d9e7e4de8b

As far as behavior goes, there wasn't a whole lot of immediately obvious activity with it, but it DOES beacon out to the net. Here's a shot of the initial POST request it makes to the web:


The malware goes to sleep for a while so at the moment I'm just going to let it do its thing and see what happens after a few hours. I would expect there to be additional POST requests that contain credentials to various online accounts... and I'm not sure that giving the malware come creds for testing purposes is a good idea. This will have to do for the time. :) Here's the info that I can confirm so far:

CnC Domain: mail.yaklasim.com
CnC IP Address: 212.58.4.3
Country of Origin: Turkey

I know it's not much - but I hope it helps! I'm still looking for more samples that I can glean some more intel from. Stay tuned!

-SM


No comments:

Post a Comment