My Name is Hunter, Ponmocup Hunter
2023-04-29 | 10:00 – 10:50
In early 2011 we discovered some malware infected systems in our network. Starting from one A/V event we found several host- and network-based indicators to identify and confirm several infections within our company. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems protected by firewalls, IPS and multi-layered A/V without using exploits (only social engineering).
The malware got some media attention in June 2012 with titles such as “printer virus”, “printer bomb” or “Trojan.Milicenso: A Paper Salesman’s Dream Come True”. A/V detection names for this malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IPs and URL patterns changed to avoid detection.
In late 2012 a “anti-sinkholing technique” was introduced in using C&C domains. Just recently I discovered how this technique can be overcome to allow sinkholing of botnet domains again. Unfortunately the currently used C&C domains are not as well known as they were after the incident and analysis in 2011.