Ponmocup – A giant hiding in the shadows

Ponmocup threat report cover pagePonmocup, first discovered in 2006 as Vundo or Virtumonde, is one of the most successful botnets of the past decade, in terms of spread and persistence. The reasons why this botnet is considered highly interesting are that it is sophisticated, underestimated and is currently largest in size and aimed at financial gain.

This underestimated botnet is still in active use and under continuous development. Having established that Ponmocup’s primary goal is likely financial gain, it is interesting to look at its size. Fox-IT has determined that it has infected a cumulative total of more than 15 million unique victims since 2009. At its peak, in July 2011, the botnet consisted of 2.4 million infected systems, which as far as botnets go, is huge. Since then, the botnet has shrunk in size and is currently stable at around 500,000 active infections, as shown below:

Ponmocup botnet global infections

Compared to other botnets, Ponmocup is one of the largest currently active and, with 9 consecutive years, also one of the longest running. Ponmocup is rarely noticed though, as the operators take care to keep it operating under the radar.

Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system. On top of that, the operators have close to 10 years of experience with malware development. Their framework was developed over time, quality tested and then improved in order to increase robustness and reduce the likelihood of discovery.

The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.

Ponmocup is believed to be aimed at financial gain. Although it is difficult to quantify the exact amount of money earned with the Ponmocup botnet, it is likely that it has already been a multi-million dollar business for years now. There are multiple reasons to assume this is the case. Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks. Secondly, they operate, maintain and monitor their comprehensive infrastructure with a group of operators and are quickly able to mitigate potential risks that are discovered. Thirdly, the malware itself is sophisticated and aimed at avoiding detection and analysis. Fox-IT believes, based on the earlier mentioned reasons, that they are protecting a very well run organization and infrastructure, for their main goal: financial gain.

Download the threat report ‘Ponmocup – a giant hiding in the shadows