Pony botnet plunders 650,000 web logins in days, Trustwave reports

Stats pulled from C&C server

Security firm Trustwave has discovered a Russian command and control server for the Pony botnet that has managed to plunder the Web credentials of 650,000 victims in a matter of days.

The bot's purpose is to compromise the PCs of its victims, keylogging their account names and passwords, the more the merrier. It's not fussy which logins it steals either.

Using statistics from the bot controller's web interface, the firm found that it had stolen 278,000 from Firefox users, 212,000 from Chrome, and 117,000 from Internet Explorer.

It had also nabbed another 14,500 from Outlook, 1,000 from Windows Live Mail, 16,000 from Facebook, 35,000 from Yahoo, 28,000 from Google, and 12,000 from Twitter as well as logging 7,000 potentially valuable FTP accounts.

"It's a dangerous world out there; this is a single instance of a single botnet controller showing some pretty big numbers," said Trustwave's lead security researcher, Arseny Levine.

"Not knowing how these machines got infected in the first place, it's hard to say whether it was targeting specific businesses, business sizes, or if it was targeting businesses at all."

Most of the victims were in Asia, Trustwave said, with the top domains being Russia, Vietnam, Iran, India and Turkey.

Pony is a relatively unknown botnet among many others but the figures discovered by Trustwave are still impressive for a few days work. Given that this is only one controller among an unknown number, it could be a rising star among botnet.