View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 3, 2015

15m computers hit by well disguised botnet

News: The Ponmocup botnet has around 1m computers under its control.

By Charlotte Henry

Researchers at Fox IT have detailed a massive botnet that has over the course of its existence infected 15 million machines since 2009.

The Ponmocup botnet had control of 2.4m devices when it was at its peak in July 2011, and remains one of the largest active botnets, with around 1m machines under its command.

The researchers describe Ponmocup as "one of the most successful botnets of the past decade, in terms of spread and persistence." They say its infrastructure is "complex, distributed, and extensive, with servers for dedicated tasks."

It is thought the botnet is being constantly developed, with the researchers unearthing 25 unique plug-ins and 4000 variants.

Ponmocup is hard to detect because it uses anti-analysis techniques, for example heuristic checks for network and host-based analysis tools, debuggers and virtualised environments.

If anti-analysis checkers flags up an attempt to analyse the malware, a fake payload is delivered, which injects adverts and is easy to remove. That fake payload disguises the delivery of a much more serious one.

Fox IT says that the attack is "believed to be aimed at financial gain" and that it has probably been "a multi-million dollar business for years now."

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

It is thought that that the people behind Ponmocup are likely to be both Russian speaking and of Russian origin, because the instructions that are distributed to business partners and affiliates are written in Russian. Addtionally, it historically did not infect systems in certain post-Soviet countries.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.