Ponmocup, one of the biggest active botnets
Discovered in 2006, it is operational for 9 years now. It is actively in use and under continuous development. The botnet is believed to be aimed at financial gain. It is a malware framework, written in C++ and using encryption to hide its operations.
The initial way of distribution was through fake codec packs and fake Flash players. Later on they developed their own method called Zuponcic.
▻http://blog.fox-it.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows
Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper than regular knowledge of the Windows operating system. On top of that, the operators have close to 10 years of experience with malware development. Their framework was developed over time, quality tested and then improved in order to increase robustness and reduce the likelihood of discovery.
The operators are most likely Russian speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and affiliates are written in Russian, and that historically, Ponmocup would not infect systems in some post-Soviet States.
A very detailed document describes into more details how the botnet operates:
▻https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf
(backup link : ▻http://docdro.id/iSMmgrX)
This infection vector relies on social engineering or outdated
Java software in order to execute a Java applet.
These applets are typically run in a sandbox, in order to
prevent them from touching the file system, so to drop
the Ponmocup installer on a victim’s machine this Java
applet has to escape the sandbox. Ponmocup successfully
does so because the Java applet is signed with a
valid certificate, stolen from a legitimate organization.
Older versions of Java (pre-dating Java 7 Update 21 to
be specific) which blindly trust certificates issued by
authorities, will run this applet outside of the sandbox
without even asking for the user’s permission.