In Retrospective – A Peek Inside the Pony Loader Cybercrime-Friendly Malicious Software Release – An OSINT Analysis

I recently took a peek inside some of my old threat intelligence gathering research archives and I’ve decided to share with everyone some sample screenshots including an actual description from the extremely popular and high-profile back then Pony Loader malicious software release.


Sample screenshots of the Pony Loader in action:

Sample description of the Pony Loader:

Collection system FTP passwords “Pony”

Purpose and Objectives of the project

Collection of FTP passwords of 81 + popular FTP-client and Web-browser with the infected computers
Invisible to the user’s application
The minimum size and time of the grabber on the infected computer

General information

The project is divided into three parts:
Client “Pony.exe” – a program that needs to be progruzhat on computers, it collects and sends passwords to the server.
Builder (PonyBuilder.exe) – a set of programs to create a build-client
“Pony.exe”. Build collected automatically by the compiler masm32, which
is included in the kit.
A set of server-side PHP script – admin panel, as well as script-gate (gate.php) on which to send passwords.

In order to collect passwords used an unusual approach

When you run the client “Pony.exe” automatically collected passwords and
data required to decrypt files in a special container called “reports”
(reports), and then encrypted to the server, where they are processed.
Each report can contain tens or even hundreds of passwords, as well as
other supporting information.

In fact, “Pony.exe” does not contain any decryption algorithms, but only a simple function to read data files and the registry.

All work on deciphering the password takes on a Web server, it is not
resource-intensive operation, because Most algorithms are trivial, the
server spends on average less than 10 ms (0.01 seconds) to process the
report with passwords.

Positive aspects of this approach:
The minimum size of the file progruzhat “Pony.exe”
The minimum time on the infected computer, on average, less than a second 1st
If an FTP client just updated the encryption algorithm, but also stores
files with passwords as well as before, which is typical for the
majority of popular FTP-client, there is no need to re-create and build
progruzhat it, but only to make the appropriate modifications to the PHP
No chance of a mistake in the algorithm decryption password and lose
FTP, reports can be processed on the server again, after fixing a bug

Requires a full-fledged Web server is configured to decrypt the password, with some specific requirements
Increased traffic to the server, this adds the ability to pack records

Requirements for the Web server

Apache / nginx
PHP 5.2 +
Required extensions for PHP
zlib – Library for compression / decompression of data using deflate
libxml – library for fast processing of XML files
mysql – the extension to work with the MySQL database
mhash – with a library of hash algorithms (included in the main assembly PHP 5.3 +)
mcrypt – with a library of encryption algorithms
gmp – a mathematical library for working with large numbers
iconv, mbstring – extension for converting multibyte (UTF-8, …) lines
gd – a graphics library that is used for plotting
curl – the extension to work with the network
pcre – a library of algorithms for working with regular expressions
json – JSON library for decoding strings
zip – Library for handling zip archives
Optional extension for PHP
sqlite3 – is required as the class (PHP 5.3 +), or as a driver PDO (PHP 5.2 +), or some decrypted passwords will not be

A set of server-side scripting is not tied to the root folder and can be
moved anywhere you want. In the working folder, you must create the
directory “temp” and give it a read, write and execute (chmod 777). Name
the folder “temp” can be overridden in the configuration file

Example of assembly PHP:
Configure Command ‘. / Configure’ ‘- enable-mbstring = all’ ‘-
with-zlib’ ‘- with-iconv’ ‘- with-gd’ ‘- with-curl’ ‘- with-pcre -regex
” – with-gmp ” – with-mhash ” – with-mcrypt ” – with-mysql ” –
with-libxml-dir ” – prefix = / opt / php ‘ ‘- with-sqlite3’ ‘-
with-freetype-dir’ ‘- enable-gd-native-ttf’ ‘- with-png-dir’ ‘-
with-jpeg-dir’ ‘- enable- zip ‘.

The server side (admin panel)

Scope of supply:
The file “config.php” – contains the basic settings required for the
performance of PHP scripts admin. Inside the file, you must register
your MySQL server settings, choose a password to decrypt the report,
specify the folder for temporary files.
The file “setup.php” – automatic installation script, you need to run
the initial configuration of the admin panel, then you can remove it.
This script creates the necessary tables MySQL, set the login and
password. Before running the “setup.php” should set the parameters of
MySQL server in the file “config.php”. To repeat the automatic tuning of
the panel, you must first remove all the tables with the prefix “pony_”
from the database MySQL.
The file “gate.php” – script-gate, which receives reports from the password “Pony.exe”.
The file “admin.php” – the main manager of the script admin panel.
The folder “temp” – the folder for temporary files and templates,
Smarty, you must install the right to read, write and execute (chmod
The folder “includes” – a set of supporting files.

Admin functions

Home – General information about the ongoing work of the server.
List of FTP – here you can download or clear the lists obtained by FTP / SFTP.
Others – you can download or clear the lists received certificates.
Statistics – current statistics on the data collected, it is necessary
to take into account that the cleaning list FTP / reset the statistics
Domains – on this page, you can add a backup domain grabber for the operational test for accessibility.
Logs – here you can see a critical error and notification server.
Reports – Reports a list of current passwords.
Management – server settings, as well as account management.
Help – help file.
Exit – exit from the admin panel.

Differentiation of user admin

Members are divided into two types:
Administrator (admin) – can do everything: delete / add new users,
change the server settings (password is encrypted reports), change the
privileges / passwords of other users, clear the lists of passwords. The
administrator can only be one.
User (user) – depending on the privileges can either just view the data
(user_view_only), or view lists and clean FTP / SFTP / reports / logs
(user_all). User can change your password. The user will not see the
additional functionality that is available only administrator.

Additional information

Each received a report contains additional information:
OS – version of Windows.
IP – IP address of the sender.
HWID – a unique user ID does not change with time. In this ID can be found all the reports from a particular computer.
Privileges – with what rights (User / Admin) process was started “Pony.exe”.
Architecture – x86/x64 architecture of a microprocessor, which was launched by the process of “Pony.exe”.
Version – version of the client “Pony.exe”.
Clear the list of reports and FTP / SFTP resets statistics (graphs and text data).
Identical reports with the passwords in the database are not imported when you receive a duplicate, the logs will be notified.
Import records with passwords through “gate.php” takes place in two stages:
The resulting report is imported into the database MySQL. Only when the
import was successful in the database will return the gate positive
response to the client “Pony.exe” to avoid sending passwords in the
following (redundant) domains.
The report is processed (parsed), then found FTP added to the database, and report the status of prescribed “processed.”
If the report has received the status “not processed” means either the
server is overloaded (exceeded the maximum time the script), or parsing
the script left with a critical error. In any case, the report will not
be lost.
If the system used by several users, you must go under different accounts, otherwise it will always pop up login window.
After clearing the lists, the data in a MySQL database does not always
physically removed (especially logs), so you should periodically run the
optimization (compression) tables.
Optimization (compression), MySQL table is best carried out when there
is heavy load on the database, ie client “Pony.exe” does not send
passwords active.

Builder “PonyBuilder.exe”

Task Builder – Configure and compile the client “Pony.exe”, to be progruzhat to infected computers.

Scope of supply:
Folder “masm32” – the compiler Microsoft Macro Assembler (MASM).
Folder “PonySrc” – the source code in MASM client program (grabber) “Pony.exe”.
Folder “BuilderSrc” – the source code in Delphi 7 support program-Builder “PonyBuilder.exe”.
The file “PonyBuilder.exe” – program-builder for the customer “Pony.exe”.
The file “Help.txt” – help file.
The file “build.bat” – a script used by the builders build to compile from source “PonySrc”.
The file “Pony.ico” – the icon is attached to the “Pony.exe” at compile time, if the builder select the corresponding option.

The interface is divided into four tabs:

The text box “list of domains to send passwords” – here you can set a
list of URL gates to send passwords. Each line – a separate URL, for
You can add an unlimited number of rows (URL), the same URL can be
added multiple times. The domain may contain information about the port
connection, for example: Https:// protocol is not currently supported.
“Pony.exe” will try to connect and send a report with the passwords on
the list, if the data is successfully delivered, the program will exit
immediately without attempting to connect to the rest of the URL.
The “Select icon” allows you to set the icon for the compiled file is only supported format *. Ico.
The “New Build” compile file “Pony.exe” to your settings.
A simple loader (boot files). After gathering passwords from these links
(URL) will be loaded and run files. URL given in the same manner as the
list of domains to send passwords. In the lower part of the tab you can
specify the following options:
Activate the loader – the loader include work, otherwise the files will not load.
Do not run the same files twice – after the successful launch of the
downloaded file into the registry will be added to the reference value
(hash) of the data file, and then, when re-loading, a duplicate will not
To see all the settings, you need to activate the option “Show advanced settings” in the main menu.
Compress – compress reports using the library aPLib, adds about 5kb to
the size of the executable file, packs a good text data before sending
it, it is strongly recommended that you use greatly reduces the traffic
to the server.
Encrypt – encryption algorithm reports RC4.
Encryption password – a password that is encrypted records, similar to
the password must be installed in the server configuration.
Save reports to disk (for debugging) – when you start “Pony.exe”, after
the passwords have been collected in the same directory where the
executable is running, it will create a file “out.bin”, a container with
a password in this form in which he was sent to the server for further
processing (decoding).
Sending blank reports (for statistics) – usually, if no password is
found, the client “Pony.exe” personal server will not send, but it is
sometimes useful to include this option to get statistics on the number
of successful launches “Pony.exe”.
Debug mode – removes an interceptor exceptions, be used only for debugging purposes.
Send only new records – if this option is not activated, then the duplicate records with passwords are not sent.
Samoudalenie – running the file “Pony.exe” will be removed after the exit.
Add an icon – an icon to attach the selected file to be compiled.
Packing build with UPX – compress executable “Pony.exe” after compilation.
Number of attempts to send the report – how many times to try to send a
report when an unsuccessful transmission, it is recommended to specify a
minimum of two attempts.
Build Alternative:
Exe-file – normal executable Windows (*. Exe)
Dll-file – version of the assembly in the form. Dll libraries, it is
completely autonomous, to practice you must call from your project
API-only function LoadLibrary (), ie URL to send the password and all
settings are sewed in myself. Dll file. In the folder DllTest is a
simple example of testing, in the same folder to put the file Pony.dll,
then run the file DllTest.exe, which in turn calls LoadLibrary () for.
Dll library.
In the “Available Modules decoding” can be excluded from the build
unneeded passwords decoder, it will reduce the size of the build.
On this tab, you can choose a favorite skin (skin) Builder.

Starting the Builder from the command line

The following command line arguments Builder:

-PACK_REPORT – compress reports
-ENCRYPT_REPORT – encrypt the records, if encryption password is not specified, the default will be listed “Mesoamerica”
-REPORT_PASSWORD = – password encryption, for example:-REPORT_PASSWORD = Mesoamerica
-SAVE_REPORT – save reports to disk (for debugging)
-ENABLE_DEBUG_MODE – debug mode
-SEND_MODIFIED_ONLY – send only the new records
-SELF_DELETE – enable samoudalenie
-SEND_EMPTY_REPORTS – send a blank report
-ADD_ICON – attach a file icon from Pony.ico
-UPX – Build pack using UPX
-DOMAIN_LIST = – list of domains, each domain must be divided by spec. the symbol n, for example:-DOMAIN_LIST = nhttp :/ /
-LOADER_LIST = – a list of URL for the loader (it will be automatically
activated in the presence of URL), each URL must be divided similarly
-LOADER_EXECUTE_NEW_FILES_ONLY – do not run the same files twice
-DISABLE_MODULE = – excluding specific module build decoding (all the
names of the modules can be seen in the file PonySrc FTPClients.asm),
-DLL_MODE – use the assembly in the form of Dll-library
-COLLECT_HTTP – in addition to collect and HTTP / HTTPS passwords
-UPLOAD_RETRIES = N – the number (N) attempts to send a report if no value is specified, the default is 2 attempts

Client “Pony.exe”

The task of “Pony.exe” – to collect passwords from the computer and send them to the server for processing.

Works on all versions of Windows, from Win98, including server. It works
in the mode of x86 and x64. The program normally work out when you run
as an administrator or user.

Before the proliferation of file it is desirable to clean and kriptanut.

Implemented the instant decryption of stored passwords for the following programs:
System Info
FAR Manager
Total Commander
FTP Commander
BulletProof FTP
CoffeeCup FTP / Sitemapper
FTP Explorer
Frigate3 FTP
Directory Opus
FreeFTP / DirectFTP
32bit FTP
FTP Control
FTP Voyager
Odin Secure FTP Expert
FTP Surfer
Internet Explorer
Google Chrome
Chromium / SRWare Iron
Bromium (Yandex Chrome)
Comodo Dragon
Global Downloader
Easy FTP
Notepad + +
CoffeeCup Visual Site Designer
FastStone Browser

Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked * E-shop Owner Information

Who is Dancho Danchev?

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products