Home Malware Programs Malware Pony Botnet

Pony Botnet

Posted: July 9, 2013

Threat Metric

Threat Level: 8/10
Infected PCs: 1,445
First Seen: July 9, 2013
Last Seen: July 13, 2023
OS(es) Affected: Windows

The Pony botnet is a loose collection of PCs compromised by affiliated backdoor Trojans and spyware, which have been found to be so effective that, in less than a week, they already managed to steal the account login data of over half a million separate victims. The Pony botnet attacks are fairly indiscriminate about which applications they harvest their login information from, and will target most brands of Web browsers and e-mail clients – as well as including some generalized data-recording functions that aren't tied to any specific programs. To keep your own information from falling victim to theft by the Pony botnet, SpywareRemove.com malware researchers encourage all appropriate anti-malware strategies, including blocking, disabling and removing Pony botnet Trojans from your PC with suitable anti-malware software.

Why the Pony Botnet Isn't Exactly Your Little Pony

Less of a vehicle of transportation for you than the Pony botnet is a transferal mechanism through which criminals can steal your private information, the Pony botnet only has had a limited number of Command & Control servers confirmed thus far, but already is showing huge numbers of successful attacks – all tracked with professionally-managed statistics. Currently, the Pony botnet's C&C interface is displayed in Russian, but the Pony botnet's attacks are far too widespread (hundreds of thousands, at current estimates) to be confined to that region alone, and most likely are affecting the majority of first-world countries like the US, Europe, Canada and Australia.

On the victim's end, the primary component of the Pony botnet is a spyware program that includes keylogging functionality. Keyloggers can record your keyboard input and transfer the data – usually in the format of a text log – to a central server, where criminals peruse it for passwords, account numbers and other data worth plundering. Pony botnet spyware also includes many functions for targeting a broad range of popular programs, and SpywareRemove.com malware experts have put together the following list of examples:

  • FTP clients like FFFTP or TurboFTP.
  • Web browsers like Google Chrome, Internet Explorer, Firefox or Opera.
  • E-mail clients like Incredimail, Outlook and Windows Live Mail.
  • Specific websites, such as Facebook, Twitter, Yahoo and Google.

Although the Pony botnet spyware can steal other types of information, the criminals behind the Pony botnet campaign appear to be especially interested in compromising any online accounts by stealing passwords, e-mail addresses, user login names and similar data. The infection vector for the Pony botnet has yet to be identified – a fact that worries SpywareRemove.com malware experts and should worry you, as well, considering the hundreds of thousands of victims the Pony botnet already has tallied in a very short time period.

Getting a Fast Ticket Off the Pony Botnet Ride

The Pony botnet campaign is serviced by multiple C&C servers and does appear to be undergoing ongoing development – as indicated by its current version number of 1.9. As an active and non-negligible assault on your privacy and the safety of your PC, the Pony botnet should be considered a high-level PC threat, and SpywareRemove.com malware experts recommend the use of appropriate anti-malware tools for detecting or deleting Pony botnet spyware.

Trojans related to the Pony botnet may be identified by various aliases, such as a variant of PWS:Win32/Fareit – a family of password-stealing spyware that also can use your computer's resources to perform DDoS attacks. DDoS attacks, by creating floods of artificial traffic, force targeted websites to crash, and also may cause some performance issues on the end of the user of the infected PC.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 598.01 KB (598016 bytes)
MD5: d767d1af18b60dcd13f67c222965b36c
Detection count: 91
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 10, 2016
92fd5a019bf7a818e7a242b4e2b2ad76 File name: 92fd5a019bf7a818e7a242b4e2b2ad76
Size: 303.1 KB (303104 bytes)
MD5: 92fd5a019bf7a818e7a242b4e2b2ad76
Detection count: 91
Group: Malware file
file.exe File name: file.exe
Size: 184.32 KB (184320 bytes)
MD5: 13d5bf1dc0dd5787fd3ef2bb8ce4e968
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 14, 2017
file.exe File name: file.exe
Size: 299 KB (299008 bytes)
MD5: d8add16bd44a8cbb423410874eb9e24e
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 12, 2017
file.exe File name: file.exe
Size: 1.29 MB (1290240 bytes)
MD5: 5c91b269dd6b819a0b5796da12a4999d
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 7, 2016
file.exe File name: file.exe
Size: 69.63 KB (69632 bytes)
MD5: 0e9a211f76500fcb3f47f4ea3c94b1c5
Detection count: 20
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 9, 2016
C:\Program Files (x86)\GnuWin32\bin\6s228WBo\b9f28645fa5d37366c55aa9c39756792db74e6570df8a602414c1ce21e16ec9e.exe File name: b9f28645fa5d37366c55aa9c39756792db74e6570df8a602414c1ce21e16ec9e.exe
Size: 323.58 KB (323584 bytes)
MD5: de1c9462d43c8a6a17a101f4a4840bd6
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: C:\Program Files (x86)\GnuWin32\bin\6s228WBo
Group: Malware file
Last Updated: August 18, 2018

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\hgftvcxzwsiklon.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\netfile.vbe%APPDATA%\netfile.exe%AppData%\Pony.exe
Loading...