Tuesday, March 14, 2017
Home / Malware / Analysis / A look at Pony 1.7 HTTP Botnet

A look at Pony 1.7 HTTP Botnet

Client recognized by Microsoft as : PWS:Win32/Fareit

Pony 1.7 Login Screen

 

Pony 1.7 Home Screen
Pony 1.7 FTP Grabber
Pony 1.7 Http Grabber

 

Pony 1.7 Statistics

 

Pony 1.7 Reports
Manage
Error Logs
Domains
Others

Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user’s computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.

Symptoms:

The following system changes may indicate the presence of this malware:

  • The presence of the following files:%ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp %AppData%\dwme.exe %TEMP%\dwme.exe %AppData%\svhostu.exe %TEMP%\svhostu.exe %AppData%\pny\pnd.exe
  • The presence of the following registry modifications:In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: “Microsoft PnD” With data: %AppData%\pny\pnd.exe In subkey: HKCU\Software\WinRAR Sets value: “HWID” With data: <unique identifier> (for example, {D9CD7060-83A2-46D0-8CEA-5EDF6043EEC7})

The list of programs this bot can steal from:

  • System Info
  • FAR Manager
  • Total Commander
  • WS_FTP
  • CuteFTP
  • FlashFXP
  • FileZilla
  • FTP Commander
  • BulletProof FTP
  • SmartFTP
  • TurboFTP
  • FFFTP
  • CoffeeCup FTP / Sitemapper
  • CoreFTP
  • FTP Explorer
  • Frigate3 FTP
  • SecureFX
  • UltraFXP
  • FTPRush
  • WebSitePublisher
  • BitKinex
  • ExpanDrive
  • ClassicFTP
  • Fling
  • SoftX
  • Directory Opus
  • FreeFTP / DirectFTP
  • LeapFTP
  • WinSCP
  • 32bit FTP
  • NetDrive
  • WebDrive
  • FTP Control
  • Opera
  • WiseFTP
  • FTP Voyager
  • Firefox
  • FireFTP
  • SeaMonkey
  • Flock
  • Mozilla
  • LeechFTP
  • Odin Secure FTP Expert
  • WinFTP
  • FTP Surfer
  • FTPGetter
  • ALFTP
  • Internet Explorer
  • Dreamweaver
  • DeluxeFTP
  • Google Chrome
  • Chromium / SRWare Iron
  • ChromePlus
  • Bromium (Yandex Chrome)
  • Nichrome
  • Comodo Dragon
  • RockMelt
  • K-Meleon
  • Epic
  • Staff-FTP
  • AceFTP
  • Global Downloader
  • FreshFTP
  • BlazeFTP
  • NETFile
  • GoFTP
  • 3D-FTP
  • Easy FTP
  • Xftp
  • FTP Now
  • Robo-FTP
  • LinasFTP
  • Cyberduck
  • Putty
  • Notepad++
  • CoffeeCup Visual Site Designer
  • FTPShell
  • FTPInfo
  • NexusFile
  • FastStone Browser
  • CoolNovo

WebServer Requirements

  • Apache / nginx
  • PHP 5.2 +
  • MySQL
  • Required extensions for PHP
  • zlib – Library for compression / decompression of data using deflate
  • libxml – library for fast processing of XML files
  • mysql – the extension to work with the MySQL database
  • mhash – with a library of hash algorithms (included in the main assembly PHP 5.3 +)
  • mcrypt – with a library of encryption algorithms
  • gmp – a mathematical library for working with large numbers
  • iconv, mbstring – extension for converting multibyte (UTF-8, …) lines
  • gd – a graphics library that is used for plotting
  • curl – the extension to work with the network
  • pcre – a library of algorithms for working with regular expressions
  • json – JSON library for decoding strings
  • zip – Library for handling zip archives
  • Optional extension for PHP
  • sqlite3 – is required as the class (PHP 5.3 +), or as a driver PDO (PHP 5.2 +), or some decrypted passwords will not be

The analysis

Example of assembly PHP:
Configure Command '. / Configure' '- enable-mbstring = all' '- with-zlib' '- with-iconv' '- with-gd' '- with-curl' '- with-pcre -regex '' - with-gmp '' - with-mhash '' - with-mcrypt '' - with-mysql '' - with-libxml-dir '' - prefix = / opt / php ' '- with-sqlite3' '- with-freetype-dir' '- enable-gd-native-ttf' '- with-png-dir' '- with-jpeg-dir' '- enable- zip '.

The server side (admin panel)
Scope of supply:
The file “config.php” – contains the basic settings required for the performance of PHP scripts admin. Inside the file, you must register your MySQL server settings, choose a password to decrypt the report, specify the folder for temporary files.
The file “setup.php” – automatic installation script, you need to run the initial configuration of the admin panel, then you can remove it. This script creates the necessary tables MySQL, set the login and password. Before running the “setup.php” should set the parameters of MySQL server in the file “config.php”. To repeat the automatic tuning of the panel, you must first remove all the tables with the prefix “pony_” from the database MySQL.
The file “gate.php” – script-gate, which receives reports from the password “Pony.exe”.
The file “admin.php” – the main manager of the script admin panel.
The folder “temp” – the folder for temporary files and templates, Smarty, you must install the right to read, write and execute (chmod 777).
The folder “includes” – a set of supporting files.
Admin functions
Home – General information about the ongoing work of the server.
List of FTP – here you can download or clear the lists obtained by FTP / SFTP.
Others – you can download or clear the lists received certificates.
Statistics – current statistics on the data collected, it is necessary to take into account that the cleaning list FTP / reset the statistics report.
Domains – on this page, you can add a backup domain grabber for the operational test for accessibility.
Logs – here you can see a critical error and notification server.
Reports – Reports a list of current passwords.
Management – server settings, as well as account management.
Help – help file.
Exit – exit from the admin panel.
Differentiation of user admin
Members are divided into two types:
Administrator (admin) – can do everything: delete / add new users, change the server settings (password is encrypted reports), change the privileges / passwords of other users, clear the lists of passwords. The administrator can only be one.
User (user) – depending on the privileges can either just view the data (user_view_only), or view lists and clean FTP / SFTP / reports / logs (user_all). User can change your password. The user will not see the additional functionality that is available only administrator.
Additional information
Each received a report contains additional information:
OS – version of Windows.
IP – IP address of the sender.
HWID – a unique user ID does not change with time. In this ID can be found all the reports from a particular computer.
Privileges – with what rights (User / Admin) process was started “Pony.exe”.
Architecture – x86/x64 architecture of a microprocessor, which was launched by the process of “Pony.exe”.
Version – version of the client “Pony.exe”.
Clear the list of reports and FTP / SFTP resets statistics (graphs and text data).
Identical reports with the passwords in the database are not imported when you receive a duplicate, the logs will be notified.
Import records with passwords through “gate.php” takes place in two stages:
The resulting report is imported into the database MySQL. Only when the import was successful in the database will return the gate positive response to the client “Pony.exe” to avoid sending passwords in the following (redundant) domains.
The report is processed (parsed), then found FTP added to the database, and report the status of prescribed “processed.”
If the report has received the status “not processed” means either the server is overloaded (exceeded the maximum time the script), or parsing the script left with a critical error. In any case, the report will not be lost.
If the system used by several users, you must go under different accounts, otherwise it will always pop up login window.
After clearing the lists, the data in a MySQL database does not always physically removed (especially logs), so you should periodically run the optimization (compression) tables.
Optimization (compression), MySQL table is best carried out when there is heavy load on the database, ie client “Pony.exe” does not send passwords active.
Builder “PonyBuilder.exe”
Task Builder – Configure and compile the client “Pony.exe”, to be progruzhat to infected computers.
Scope of supply:
Folder “masm32” – the compiler Microsoft Macro Assembler (MASM).
Folder “PonySrc” – the source code in MASM client program (grabber) “Pony.exe”.
Folder “BuilderSrc” – the source code in Delphi 7 support program-Builder “PonyBuilder.exe”.
The file “PonyBuilder.exe” – program-builder for the customer “Pony.exe”.
The file “Help.txt” – help file.
The file “build.bat” – a script used by the builders build to compile from source “PonySrc”.
The file “Pony.ico” – the icon is attached to the “Pony.exe” at compile time, if the builder select the corresponding option.
The interface is divided into four tabs:
Builder
The text box “list of domains to send passwords” – here you can set a list of URL gates to send passwords. Each line – a separate URL, for example: http://somedomain.com/dir/gate.php You can add an unlimited number of rows (URL), the same URL can be added multiple times. The domain may contain information about the port connection, for example: http://privatedomain.com:8080/gate.php. Https:// protocol is not currently supported.
“Pony.exe” will try to connect and send a report with the passwords on the list, if the data is successfully delivered, the program will exit immediately without attempting to connect to the rest of the URL.
The “Select icon” allows you to set the icon for the compiled file is only supported format *. Ico.
The “New Build” compile file “Pony.exe” to your settings.
Loader
A simple loader (boot files). After gathering passwords from these links (URL) will be loaded and run files. URL given in the same manner as the list of domains to send passwords. In the lower part of the tab you can specify the following options:
Activate the loader – the loader include work, otherwise the files will not load.
Do not run the same files twice – after the successful launch of the downloaded file into the registry will be added to the reference value (hash) of the data file, and then, when re-loading, a duplicate will not run.
Settings
To see all the settings, you need to activate the option “Show advanced settings” in the main menu.
Compress – compress reports using the library aPLib, adds about 5kb to the size of the executable file, packs a good text data before sending it, it is strongly recommended that you use greatly reduces the traffic to the server.
Encrypt – encryption algorithm reports RC4.
Encryption password – a password that is encrypted records, similar to the password must be installed in the server configuration.
Save reports to disk (for debugging) – when you start “Pony.exe”, after the passwords have been collected in the same directory where the executable is running, it will create a file “out.bin”, a container with a password in this form in which he was sent to the server for further processing (decoding).
Sending blank reports (for statistics) – usually, if no password is found, the client “Pony.exe” personal server will not send, but it is sometimes useful to include this option to get statistics on the number of successful launches “Pony.exe”.
Debug mode – removes an interceptor exceptions, be used only for debugging purposes.
Send only new records – if this option is not activated, then the duplicate records with passwords are not sent.
Samoudalenie – running the file “Pony.exe” will be removed after the exit.
Add an icon – an icon to attach the selected file to be compiled.
Packing build with UPX – compress executable “Pony.exe” after compilation.
Number of attempts to send the report – how many times to try to send a report when an unsuccessful transmission, it is recommended to specify a minimum of two attempts.
Build Alternative:
Exe-file – normal executable Windows (*. Exe)
Dll-file – version of the assembly in the form. Dll libraries, it is completely autonomous, to practice you must call from your project API-only function LoadLibrary (), ie URL to send the password and all settings are sewed in myself. Dll file. In the folder DllTest is a simple example of testing, in the same folder to put the file Pony.dll, then run the file DllTest.exe, which in turn calls LoadLibrary () for. Dll library.
In the “Available Modules decoding” can be excluded from the build unneeded passwords decoder, it will reduce the size of the build.
Skin
On this tab, you can choose a favorite skin (skin) Builder.
Starting the Builder from the command line
The following command line arguments Builder:
-PACK_REPORT – compress reports
-ENCRYPT_REPORT – encrypt the records, if encryption password is not specified, the default will be listed “Mesoamerica”
-REPORT_PASSWORD = – password encryption, for example:-REPORT_PASSWORD = Mesoamerica
-SAVE_REPORT – save reports to disk (for debugging)
-ENABLE_DEBUG_MODE – debug mode
-SEND_MODIFIED_ONLY – send only the new records
-SELF_DELETE – enable samoudalenie
-SEND_EMPTY_REPORTS – send a blank report
-ADD_ICON – attach a file icon from Pony.ico
-UPX – Build pack using UPX
-DOMAIN_LIST = – list of domains, each domain must be divided by spec. the symbol \ n, for example:-DOMAIN_LIST = http://host.com/gate.php \ nhttp :/ / host2.com/x/gate.php
-LOADER_LIST = – a list of URL for the loader (it will be automatically activated in the presence of URL), each URL must be divided similarly DOMAIN_LIST
-LOADER_EXECUTE_NEW_FILES_ONLY – do not run the same files twice
-DISABLE_MODULE = – excluding specific module build decoding (all the names of the modules can be seen in the file PonySrc \ FTPClients.asm), for example:-DISABLE_MODULE = MODULE_OPERA
-DLL_MODE – use the assembly in the form of Dll-library
-COLLECT_HTTP – in addition to collect and HTTP / HTTPS passwords
-UPLOAD_RETRIES = N – the number (N) attempts to send a report if no value is specified, the default is 2 attempts
Client “Pony.exe”
The task of “Pony.exe” – to collect passwords from the computer and send them to the server for processing.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …