Pony Botnet Controller Holds 2 Million Stolen–and Weak–Credentials

A Pony botnet controller has been discovered with two million stolen credentials, most of them for online services from Facebook, Twitter, Yahoo, Google and the ADP payroll service.

So what’s worse: Finding two million passwords harvested by a botnet, or learning that most of the stolen passwords are terribly weak?

Researchers at Trustwave found another Pony botnet controller recently that oversees a trove of close to two million website logins, email account credentials, as well as FTP, RDP and SSH accounts. Most of the account credentials found were for online services such as Facebook, Google, Twitter, Yahoo and LinkedIn, as well as close to 8,000 passwords for the ADP payroll service.

While the Facebook logins found inside this particular Pony instance are useful for social engineering capers, phishing scams and targeted attacks, the ADP logins are a link to cold hard cash.

“It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list,” wrote Trustwave SpiderLabs researchers Daniel Chechik and Anat Davidi. “Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.”

Pony is a botnet management interface that is a control panel that provides a view into infected victims, activity logs, management of stolen data and statistics on said data. Since the Pony controller source code was leaked earlier this year, researchers have been finding more of them online used to manage botnets big and small.

This particular instance discovered by SpiderLabs has a distinct Russian flavor to it given that a good number of credentials for a couple of popular Russian social networks were also discovered. Infected machines from more than 100 countries report in to this Pony controller, and while most of those connections come from the Netherlands according to the stats found by SpiderLabs, the researchers theorize that since the hits are coming from a single IP address, that it’s a gateway between the infected machines and the true command and control infrastructure, which is in the Netherlands.

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down—outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik and Davidi wrote. “While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.”

While the theft of credentials is bad enough (318,121 Facebook credentials; 59,549 Yahoo; 54,437 Google), the researchers looked at the passwords themselves and perhaps not to anyone’s surprise, they’re generally weakly constructed credentials.

Hundreds of thousands of credentials, the researchers said, use only one character type—either numerals or letters—as a password. Most of those are built off the 123456 construct; seven of the top 10 passwords found via the controller started with 123. Password, admin and 111111 round out the top 10.

As for complexity, 34 percent were rated poor by SpiderLabs, meaning they used one character or a simple password, while 22 percent were rated good or excellent, meaning they used at least three different character types to build a password.

“Unfortunately, the most commonly used passwords were far from what your CISO would like to see,” they wrote.

Suggested articles