Pony 2.2 builds
Panel & Builder available
Talk in the jabber
https://anonimag.es/image/JT9hAOH
https://anonimag.es/image/JT9hAOY
https://anonimag.es/image/JT9hAOK
Code:
Passwords collection system "Pony"
Purpose and Objectives of the project
Collect FTP / HTTP passwords from 132+ popular FTP-client and Web-based browsers of infected computers
Collecting E-mail password (POP3, IMAP, SMTP)
Collection of certificates for signing executables and drivers
Gather passwords RDP (Remote Desktop Connection)
Application quiet work for the user
The minimum amount of work and time grabber on the infected computer
general information
The project is divided into 3 parts:
Client "Pony.exe" - a program that needs to be progruzhat computers, it collects passwords and sends to the server.
Builder (PonyBuilder.exe) - a set of programs to create a build-client "Pony.exe". Build it collected automatically via masm32 compiler, which is included in the kit.
Set server PHP scripts - the admin panel as well as a script-gate (gate.php) on which to send passwords.
To collect passwords used unconventional approach
When you run the client "Pony.exe" automatically gather passwords and data necessary to decrypt the files in special containers called "reports" (reports), and then transferred in an encrypted form on the server, where they are processed. Each report can contain tens or even hundreds of passwords and other auxiliary information.
In fact, "Pony.exe" does not contain a no decryption algorithms and a simple function to read data files and registry.
All work on deciphering the password takes the Web server is not a resource-consuming operation, since most trivial algorithms, the server on average spend less than 10ms (0.01 seconds) on report processing with passwords.
Positive aspects of such an approach:
The minimum size of the file progruzhat "Pony.exe"
Minimum operating time on an infected computer, on average, does not exceed the second 1st
If any FTP client to update only the encryption algorithm, but stores files with passwords as well as before, which is typical of most popular FTP-client, there is no need to re-create and build progruzhat it, but only to make appropriate modifications in the PHP script
No chance to make a mistake in the password decryption algorithm and lose FTP, reports on the server can be processed again after correcting the bug
Negative:
Need full set up a Web server to decrypt passwords, with some specific requirements
Increased traffic to the server, this adds the ability to pack reports
the Web Server Requirements
Apache / nginx
PHP 5.2+
MySQL
Required extension for PHP
the zlib - Library for compression / decompression of data deflate method
of libxml - library for faster processing of XML files
the mysql - extension to work with the MySQL database
the mhash - library with hash algorithms (included in PHP 5.3+ main assembly)
the mcrypt - library with encryption algorithms
gmp - math library for working with large numbers
the iconv, of mbstring - extension to convert multibyte (UTF-8, ...) lines
gd - graphics library used for plotting
the curl - expansion for the network
pcre - library of algorithms for working with regular expressions
the json - a library for decoding JSON strings
zip - Library to work with zip archives
Optional extensions for PHP
the sqlite3 - required as a class (PHP 5.3+), or as a PDO driver (PHP 5.2+), or some of the passwords will not be decrypted
A set of server-side scripting is not tied to the root folder and can be moved to any convenient to you. The working directory is necessary to create the directory " the temp " and give it a read, write, and execute (chmod 777). Name the folder "temp" You can override the "config.php" in the configuration file.
PHP build Example:
the Configure the Command './configure' '--enable-of mbstring = all' '--with-the zlib' '--with-the iconv' '--with-gd' '--with-the curl' '- -with-pcre-regex '' --with -gmp '' --with-mhash '' --with-mcrypt '' --with-mysql '' --with-libxml-dir '' --prefix = / opt / php '' --with-sqlite3 '' --with-freetype-dir '' --enable-gd-native-ttf '' --with-png-dir '' --with-jpeg-dir '' --enable-zip '.
The server part (Admin)
Contents of delivery:
File "the config.php" - contains basic settings required for the correct operation of PHP admin scripts. Inside the file, you need to register the MySQL server parameters, choose a password to decrypt the reports, specify a folder for temporary files.
The file "setup.php" - automatic installation script, you must run the primary Setup Admin Panel, and then can be removed. This script creates the necessary MySQL tables, sets the username and the administrator password. Before starting the "setup.php" should set the MySQL server parameters in the file "the config.php" . To repeat the automatic adjustment of the panel, you must first remove all tables with the prefix "pony_" from a MySQL database.
File "gate.php" - script-gate, which receives reports from passwords "Pony.exe".
The file "admin.php" - the main control script admin panel.
Folder "the temp" - folder with temporary files and the Smarty templates, you need to set permissions to read, write and execute (chmod 777).
The folder "includes" - a set of supporting files.
Options admin
Home - General information about the current server operation.
List of the FTP - here you can download or clear the lists received by FTP / SFTP.
HTTP list - here you can download or clear the lists received HTTP / HTTPS.
Other - You can download or clear the list of certificates obtained, RDP, E-mail.
Statistics - the current statistics on the collected data, please note that treatment list FTP / reset the statistics reports.
Domains - on this page you can add a backup domain grabber for operational check availability.
Logs - here you can see critical errors and server notification.
Reports - a list of current records with passwords.
Management - server settings and manage accounts.
Help - Help file.
Exit - exit the admin panel.
Separation of user admin rights
Members are divided into two types:
Administrator (admin) - can do everything: delete / add new users, change server settings (Reporting encryption password), change the privileges / passwords of other users, clear the lists with passwords. The administrator can only be one.
The user (the user) - depending on the privilege can only view the data or ( user_view_only ), or to view and clean lists FTP / SFTP / reports / logs ( user_all ). You can change your password. The user will not see the additional functionality that is available only to the administrator.
Additional Information
Each received report contains additional information:
The OS - version of the Windows operating system.
The IP - the IP address of the sender.
Of HWID - a unique user ID does not change with time. According to this ID, you can find all the records from a specific computer.
Privileges - with what rights (User / Admin) was launched the process "Pony.exe".
Architecture - the x86 / the x64 microprocessor architecture, which "Pony.exe" process was launched.
The Version - Client "Pony.exe" version.
Clearing the list of reports, and FTP / SFTP resets statistics (charts and text data).
Identical records with passwords in the database are not imported if a duplicate is received, a notification will appear in the logs.
Import records with passwords through "gate.php" takes place in two stages:
The resulting report is imported into a MySQL database. Only by successfully imported into the database gate returns a positive response to the client "Pony.exe" to prevent the sending of passwords to the following (reserve) domains.
The report is processed (parsed), then FTP results are added to the database, and report the status registers "processed".
If the report has received the status "not processed" means a server is overloaded (exceeds the maximum time the script), or by parsing script flew with a critical error. In any case, the report will not be lost.
If the system is used by multiple users, you must go under different accounts, otherwise it will constantly pop up login window.
After cleaning the lists, the data in MySQL database is not always physically removed (especially logs), so you should periodically run optimization (compression) tables.
Optimization (compression) MySQL tables is best carried out when there is heavy load on the database, ie client "Pony.exe" not actively sends passwords.
Builder "PonyBuilder.exe"
The task builder - to configure and compile the client "Pony.exe", which must be progruzhat on infected computers.
Contents of delivery:
Folder "masm32" - the compiler Microsoft Macro Assembler (MASM).
Folder "PonySrc" - the source code in MASM-client program (grabber) "Pony.exe".
Folder "BuilderSrc" - the source code in Delphi 7 support program-builder "PonyBuilder.exe".
File "PonyBuilder.exe" - program-builder for the customer "Pony.exe".
File "help.txt" - help file.
File "build.bat" - the script used to compile the Builder build from source "PonySrc".
File "Pony.ico" - icon is attached to the "Pony.exe" when compiling if bildere select the corresponding option.
The interface is divided into four tabs:
Builder
Text field "Domain List to send password" - here it is possible to register a list of URL gates to send passwords. Each line - a separate URL, for example: http://somedomain.com/dir/gate.php You can add an unlimited number of rows (URL), the same URL can be added multiple times. A domain can contain information about the port connection, for example: http://privatedomain.com:8080/gate.php . The protocol https: // is not currently supported.
"Pony.exe" will try to connect and send the report to the passwords on the list, if the data is successfully delivered, the program quits immediately without attempting to connect to the rest of the URL.
Button "icon Select" allows you to set an icon for the source file, only supported format * .ico.
The button "Start build" compiles the file "Pony.exe" with the specified settings.
loader
Simple loader (boot files). After collecting passwords from these links (URL) will be loaded and run files. URL specified in the same way as the list of domains to send passwords. In the lower part of the tab you can specify the following options:
Activate the loader - the loader to enable the work, otherwise the files will not load.
Do not run the same files twice - after the successful launch of the downloaded file to the registry will be added to the control value (hash) of the data file, and then, when reloading, the duplicate will not be launched.
settings
To see all of the settings, you need to activate the option "Show advanced settings" in the main menu.
Compress - compress reports using aPLib library adds about 5kb to the size of the executable file, the text data pack well before shipping, it is strongly recommended to use, greatly reduces the traffic to the server.
Encrypt - encrypt reports algorithm RC4.
Encryption Password - a password, which is encrypted reports, the same password must be set in the server settings.
Keep records to disk (for debugging) - startup "Pony.exe", after being collected passwords, in the same folder where the executable file is run, the file "out.bin" will be created, a container with a password in this form in which it is sent to the server for further processing (decryption).
Notify empty reports (for statistics) - normally, if no password is found, the client "Pony.exe" nothing will be sent to the server, but it is sometimes useful to check this option to get statistics on the number of successful launches "Pony.exe".
Debug Mode - takes exception interceptor, use only for debugging purposes.
Notify me only new reports - if the option is not activated, then the duplicate records with passwords will not be sent.
Samoudalenie - launched "Pony.exe" file will be deleted after complete its work.
Add icon - the icon to attach the selected file being compiled.
Packing build using the UPX - compress executable "Pony.exe" after compilation.
The number of attempts to send the report - how many times to try to send a report when transmission fails, it is recommended to specify at least two attempts.
assembly Option:
Exe-file - a normal Windows executable (* .exe)
Dll-file - build option in the form of a .dll library, it is completely self-contained, it is necessary to work out a call LoadLibrary () API-function in your project, ie URL for sending the password and all settings are sewed in the .dll file itself. In the folder DllTest is a simple example of the use of testing, in the same folder must be put Pony.dll file, and then run DllTest.exe file, which in turn calls LoadLibrary () for the .dll library.
In the list of "Available decryption modules" can be excluded from the build unnecessary interpreter passwords, it will reduce the size of the build.
skin
On this tab, you can choose a favorite skin (peel) builder.
Starting builder from the command line
The following command-line arguments builder:
-PACK_REPORT - Compress reports
-ENCRYPT_REPORT - Encrypt the reports, if an encryption password is not specified, the default will be listed "Mesoamerica"
= -REPORT_PASSWORD - Encryption password, for example: -REPORT_PASSWORD = Mesoamerica
-SAVE_REPORT - Save reports to disk (for debugging)
-ENABLE_DEBUG_MODE - Debug mode
-SEND_MODIFIED_ONLY - Send only new reports
-SELF_DELETE - Activate samoudalenie
-SEND_EMPTY_REPORTS - Send empty reports
-ADD_ICON - Attach a file icon from Pony.ico
-UPX - Pack build with UPX
= -DOMAIN_LIST - A list of domains, each domain should be divided by a professional. character \ n, for example: -DOMAIN_LIST = http: //host.com/gate.php \ nhttp : //host2.com/x/gate.php
= -LOADER_LIST - URL for a list of the loader (will be activated automatically if URL), each URL can be divided similarly DOMAIN_LIST
-LOADER_EXECUTE_NEW_FILES_ONLY - Do not run the same file twice
= -DISABLE_MODULE - To exclude from the build specific decryption module (all the names of the modules can be seen in PonySrc file \ FTPClients.asm), for example: -DISABLE_MODULE = MODULE_OPERA
-DLL_MODE - Use the method of assembly in the form of Dll-libraries
-COLLECT_HTTP - Collect further and HTTP / HTTPS passwords
-COLLECT_EMAIL - Collect further and E-mail password
Of N = -UPLOAD_RETRIES - the number (N) tries to send a report if no value is specified, then 2 attempts to use the default
Client "Pony.exe"
The task "Pony.exe" - collect passwords from your computer and send them to the server for processing.
It works on all versions of Windows, from Win98, including server. It works in x86 mode and x64. The program fulfills normally when you start as an administrator or user.
Before the spread of desirable peel and kriptanut file.
Implemented instant decryption of stored passwords for the following programs:
System Info
FAR Manager
Total Commander
WS_FTP
CuteFTP
FlashFXP
FileZilla
FTP Commander
BulletProof FTP
SmartFTP
TurboFTP
FFFTP
CoffeeCup FTP / Sitemapper
CoreFTP
FTP Explorer
Frigate3 FTP
SecureFX
UltraFXP
FTPRush
WebSitePublisher
BitKinex
ExpanDrive
ClassicFTP
Fling
SoftX
Directory Opus
FreeFTP / DirectFTP
LeapFTP
WinSCP
32bit FTP
NetDrive
WebDrive
FTP Control
Opera
WiseFTP
FTP Voyager
Firefox
FireFTP
SeaMonkey
Flock
Mozilla
LeechFTP
Odin Secure FTP Expert
WinFTP
FTP Surfer
FTPGetter
ALFTP
Internet Explorer
Dreamweaver
DeluxeFTP
Google Chrome
Chromium / SRWare Iron
ChromePlus
Bromium (Yandex Chrome)
Nichrome
Comodo Dragon
RockMelt
K-Meleon
Epic
Staff-FTP
AceFTP
Global Downloader
FreshFTP
BlazeFTP
NETFile
GoFTP
3D-FTP
Easy FTP
Xftp
FTP Now
Robo-FTP
LinasFTP
Cyberduck
Putty
Notepad ++
CoffeeCup Visual Site Designer
FTPShell
FTPInfo
NexusFile
FastStone Browser
CoolNovo
WinZip
Yandex.Internet / Ya.Browser
MyFTP
sherrod FTP
NovaFTP
Windows Mail
Windows Live Mail
Becky!
Pocomail
IncrediMail
The Bat!
Outlook
Thunderbird
FastTrackFTP
Bitcoin
Electrum
MultiBit
FTP Disk
Litecoin
Namecoin
Terracoin
Bitcoin Armory
PPCoin (Peercoin)
Primecoin
Feathercoin
NovaCoin
Freicoin
Devcoin
Frankocoin
ProtoShares
MegaCoin
Quarkcoin
Worldcoin
Infinitecoin
Ixcoin
Anoncoin
BBQcoin
Digitalcoin
Mincoin
Goldcoin
Yacoin
Zetacoin
Fastcoin
I0coin
Tagcoin
Bytecoin
Florincoin
Phoenixcoin
Luckycoin
Craftcoin
Junkcoin