The botnet that stole two-million passwords

Even though the potency of the botnet threat has been known for quite some time now, researchers at Trustwave’s SpiderLabs still stumbled upon some staggering information about the botnet managed by the Pony botnet controller. 

A botnet, simply, is a network of compromised computers controlled by an outside party.

Last month SpiderLabs discovered two-million stolen passwords for sites like Facebook, LinkedIn and Payroll on a server in the Netherlands, harvested by the Pony botnet. The team took control of it by replacing its command-and-control server and used the privileges to pull out some startling stats from the database.

The research group discovered that the Pony botnet they had taken over had harvested 1.58-million passwords associated with websites such as Facebook and Twitter, 320 000 for email logins such as Gmail and Yahoo, 3 000 for remote desktop login credentials, 41 000 for FTP accounts, and 3 000 Secure Shell account passwords. Even the password for the payroll provider ADP was not spared.

Phusgubf and keylogging
Companies running social media websites and email services are already subjected to criticism every few months, if not weeks, for their inadequate efforts for safeguard user security. Had the latest theft been a result of some newly discovered security loophole, they would have had a lot of face-saving to do and lawsuits to settle, not to mention spending their resources on a quick overhaul of their existing security protocols.

Much to the relief of the tech companies, both big and small, the researchers unanimously agree that the passwords have not been stolen from the server end, but have in fact been harvested from the infected machines themselves, most likely using keyloggers and phishing tools. Recording the keystrokes of users or redirecting them to counterfeit login pages is among the most effective ways to acquiring someone’s passwords and that is precisely what the Pony botnet seems to have done.

The Trustwave researchers discovered that a significant amount of compromised passwords were weakly or even terribly constructed. The worst of the lot included “123456”, “1234” and “password”. Not all passwords stolen by the botnet were weak, though. Most users had constructed passwords using 6 to 9 characters, while a majority of users with relatively strong passwords had mixed numbers and letters, or lower and upper case letters. The fact that the Pony botnet still had such passwords in its database made it even more certain that a keylogging software or phishing tool had been utilised.

The implications of stolen passwords
Losing personal or sensitive information to a third party can be dangerous and costly under any circumstances. In the case of the Pony botnet, passwords for pretty much every social media website and services have been stolen. Cybercriminals can use the personal information from the users’ social media and email accounts not only to deal financial losses to them, but also to blackmail them or their loved ones. 

Some users have been identified as high-profile users due to their profession or access to sensitive data. Stealing their passwords, pulling the sensitive information from their accounts and then selling it to their competitors or in the black-market can be of immense value to the cybercriminals and highly detrimental to the target and their interests. Stealing the password of the payroll services accounts also has direct financial implications.

Some of the online services, such as Facebook and LinkedIn, have already begun resetting the login credentials, clearly aware of the implications that the Pony botnet and its database of stolen passwords can have. Other tech companies providing online services are also expected to follow suit soon instead of leaving their users at the mercy of cybercriminals. –

Natalia David blogs at Mobistealth and writes about developments and trends in the tech world.

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever. But it comes at a cost. Advertisers are cancelling campaigns, and our live events have come to an abrupt halt. Our income has been slashed.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years. We’ve survived thanks to the support of our readers, we will need you to help us get through this.

To help us ensure another 35 future years of fiercely independent journalism, please subscribe.


‘Tenderpreneurs’ block the delivery of protective equipment to schools

Protests by local suppliers have delayed PPE delivery, which according to the DBE, is one of the reasons the reopening of schools has been pushed back until June 8

‘Soon he’ll be seen as threatening, not cute’: What it’s...

There is no separating George Floyd’s killing from the struggles black people have faced ever since the first slave ships landed on these shores

How schools could work during Covid

Ahead of their opening, the basic education department has given schools three models to consider to ensure physical distancing

Press Releases

Mining company uses rich seam of technology to gear up for Covid-19

Itec Direct technology provides instant temperature screening of staff returniing to the workplace with no human contact

Covid-19 and Back to School Webinar

If our educators can take care of themselves, they can take care of the children they teach

5G technology is the future

Besides a healthcare problem Covid-19 is also a data issue and 5G technology, with its lightning speed, can help to curb its spread

JTI off to court for tobacco ban: Government not listening to industry or consumers

The tobacco ban places 109 000 jobs and 179 000 wholesalers and retailers at risk — including the livelihood of emerging farmers

Holistic Financial Planning for Professionals Webinar

Our lives are constantly in flux, so it makes sense that your financial planning must be reviewed frequently — preferably on an annual basis

Undeterred by Covid-19 pandemic, China and Africa hold hands, building a community of a shared future for mankind

It is clear that building a community with a shared future for all mankind has become a more pressing task than ever before

Wills, Estate Administration and Succession Planning Webinar

Capital Legacy has had no slowdown in lockdown regarding turnaround with clients, in storing or retrieving wills and in answering their questions

Call for Expression of Interest: Training supply and needs assessment to support the energy transition in South Africa

GIZ invites eligible and professional companies with local presence in South Africa to participate in this tender to support the energy transition

The best local and international journalism

handpicked and in your inbox every weekday