My Name Is Hunter, Ponmocup Hunter

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

In early 2011 we discovered some malware infected systems in our network. Starting from one A/V event we found several host- and network-based indicators to identify and confirm several infections within our company. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems protected by firewalls, IPS and multi-layered A/V without using exploits (only social engineering). The malware got some media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman's Dream Come True". A/V detection names for this malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IPs and URL patterns changed to avoid detection. In late 2012 a "anti-sinkholing technique" was introduced in using C&C domains. Just recently I discovered how this technique can be overcome to allow sinkholing of botnet domains again. Unfortunately the currently used C&C domains are not as well known as they were after the incident and analysis in 2011.

Presenters:

  • Tom Ueltschi - Swiss Post
    Tom Ueltschi received his Bachelors and Masters of Science in Computer Science and Engineering from the University of Texas at Arlington. After about 6 years working in Software development (mainly Java web applications) he switched to IT Security five and a half years ago. Hunting for and analyzing new malware is part of his job and hobby as well. He's an (in-)frequent blogger about APT resources and malware/botnet research (c-apt-ure.blogspot.com) and believes in sharing threat and malware intelligence using Twitter (@c_APT_ure), Storify, CIF feeds and IOCs. He holds several GIAC certifications (GCIH, GWAPT, GXPN) and received the SANS Lethal Forensicator Coin for submitting several IOCs to ForensicArtifacts.com. He's a member of several closed/trusted groups for fighting cybercrime and sharing malware and APT intelligence.

Links:

Similar Presentations: