Analysis and takeover of the bitcoin-coordinated pony malware

Abstract

Malware, like all products and services, evolves with bursts of innovation. These advances usually happen whenever security controls get good enough to significantly impact the revenue stream of malicious actors, and in the past we have seen the malware ecosystem to adopt concepts such as code obfuscation, polymorphism, domain-generation algorithms (DGAs), as well as virtual machine and sandbox evasion whenever defenses were able to perform consistent and pervasive suppression of these threats. The latest innovation step addresses one of the main Archilles heels in malware operations: the resilient addressing of the command & control (C&C) server. As domain blacklisting and DGA reversing have become mature security practices, malware authors are now turning to the Bitcoin blockchain, and use its resilient design principle to disseminate control information that cannot be removed by defenders. In this paper, we report on the adoption of Bitcoin-based C&C addressing in the Pony malware, one of the most widely occurring malware platforms on Windows. We forensically analyze the blockchain-based C&C mechanism of the Pony malware, track the malicious operations over a period of 12 months, and report how the adversaries experimented and optimized their deployment over time. We identify a security flaw in the C&C addressing, which is used to perform a takeover of the malware loading mechanism to quantify the volume and origin of the incoming infections.

Harm Griffioen

Assistant Professor Cyber Security

My research interests include internet measurements, network security, and cyber threat intelligence.