One year ago our colleague Xylit0l wrote about the Pony stealer malware. It’s been a year and the Pony family has grown! Two malwares, at least, have been found in the wild with some parts of Pony included in them.
This is the case of Jolly Roger which is a malware that uses the same gate.php script with few modifications. Instead of saving the stolen information with all the details about the infected system in the database, Jolly Roger only saves the parsed credentials into the file system using the following functions.
Bot Information Storage
The following snipped shows how the Bot information is stored in disk:
The following snipped shows how credentials are stored in different files:
Notice that using this approach, is not possible to trace the infection period nor the number of infected bots in order to perform an Information Forensics analysis. This is the content of the db/ directory:
Only few Bot information and credentials are saved, sad news, but… Hey! you have a cool control panel:
As you can see, the panel is pretty similar to the SpyEye one:
Good… we may call the Jolly Roger guy the Master of Copy&Paste! But wait, this is not the only one taking profit from the Pony Stealer malware, another similar case of code re-usage is found in a web panel called A1N3Y Recovery, the big guy – see pictures below – just used exactly the same code as Pony and added the following code in the admin.php web site code:
This is awesome, the big guy just took the code from the malware and added an expiration date in order to earn money renting the service during a long time. The admin.php script also checks if the user expired or not:
But, hey! Look at the following pictures of the panel, so cool right?
Inside the control panel (with the big guy)
Actually, this panel with the big guy seems to be in the wild since 2013.
My little pony is getting older.