ESET Threat Blog

In a comment to a previous post, Finjan have confirmed that Win32/Hexzone.AP is just one of the malicious programs downloaded to machines infected by the unnamed bot  behind the 1.9 million PC botnet they reported: it isn’t the bot itself.  While I think we’d pretty much established that (especially after some very useful input from Atif Mushtaq), I appreciate that confirmation, given the previous confusion from reporting that suggested otherwise: for instance The Register said "Yuval Ben-Itzhak, chief technology officer at Finjan, said the malware that created the botnet used a variety of Internet Explorer, Firefox and PDF vulnerabilities to spread. He added that only four out of 39 anti-virus scanners detected the malware."

 Finjan have also observed that "The 1.9M number is very accurate." Well, I’m not in a position to confirm or refute that, but I’ve no reason to doubt it: it’s not a uniquely large number, by any means. If Hexzone isn’t the primary infector, that explains the disparity between sources.

Hopefully Finjan will be in a position to share more information about the primary malware at some point. At the very least, it would be nice to know if this is something that’s already widely detected.

Unfortunately, someone at Finjan also seems to be under the impression that I’ve accused them of spreading FUD (Fear, Uncertainty, Doubt). I don’t know where that quote comes from, but it wasn’t me, guys. This isn’t that sort of a blog, and I save my sarcasm for deserving cases like Mikeyy : I don’t deploy it against responsible members of the security community.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Firstly, here’s a little extra information from our lab in Slovakia.

They report that the variants they have analyzed use a custom packer that makes multiple calls to the graphical user interface API (Application Programming Interface, presumably in order to fool emulators and analysts into thinking they are dealing with a standard application. The Hexzone family has been with us for quite a while, and ESET has developed over that time a pretty effective generic detection algorithm for existing and new variants: hence the fact that our scanners were one of the few to detect Win32/Hexzone.AP proactively at the time Finjan first made their announcement.

However, as we’ve previously mentioned, our threat tracking system ThreatSense.Net® doesn’t suggest that Hexzone is responsible all by itself for the 1.9 million botnet that Finjan claim to have seen.

Atif Mushtaq, whom we cited at length in a later blog, has also made a convincing case in his responses to the first blog that "Hexzone along with other trojan like Win32.AutoIt seems only the secondary download." He also talked with representatives of Finjan at RSA, but they were unwilling or unable to tell him the name of the original bot that downloaded the other malware associated with this incident, claiming that they couldn’t do so because they were working with law enforcement agencies.

In the meantime, Russian readers may be interested to know that (as we’ve learned from Richard Wang of Sophos) that Dr. Web have produced a tool that can work out the unlock code generated by ransomware also associated with this group of threats.

Some more information on the Hexzone botnet has come my way, mostly from FireEye’s Atif Mushtaq and Paul Ferguson’s hairdresser (don’t ask!).

Atif also mentions the association with ransomware: the malware is installed as a Browser Helper Object (BHO) on the victim’s machine, and hijacks browsing sessions, taking the victim to a page hosting pornography. The victim is instructed to send an SMS (text) message. The attacker’s "ransom" is the amount withdrawn  from the sender’s balance and transferred to the owner of the number it references, in order to remove the pornographic content.

However, Pierre-Marc has also sent me a screenshot which is similar to another version, which attempts to lock the desktop. The ransom mechanism is similar, however: the victim is instructed to send a text message to the number given, then enter the code that’s returned to them.

While all the examples I’ve seen so far have been in Russian, Atif notes that there seem to be equivalent SMS short codes or room numbers for other countries including Ukraine, Kazakhstan and Germany.

As Pierre-Marc has already noted, the C&C (Command and Control) server is registered to an address in Watford, in the UK. However, the registrant appeared to believe that Watford is in London… The server hosts a number of other domains owned by someone with a very Russian name.

Perhaps the most interesting part of Atif’s very informative blog is that he offers a possible explanation as to the disparity between Finjan’s estimate of the size of the botnet and the observations of ourselves and FireEye, suggesting a much less dramatic size and rate of spread. It looks as if URLs listed in Finjan’s articles include C&C servers for botnets associated with other malware. This suggests that the count includes zombies from a number of other botnets, grouped together because a central management system is being used to control them all. This makes sense: a similar hierarchical structure is used by a number of better-known botnets such as Rustock, and I’ve believed for a while that the one-named-bot-per-botnet model is becoming almost as misleading as the one-name-per-variant model.

Don’t panic: the sky isn’t falling. But the Win32/Hexzone approach does show a continuing trend among cyber-criminals towards stealing small sums from lots of people as alternatives to high-profile, high-intensity attacks on big companies and sites. One of the advantages of this approach is that it’s less likely to attract the attention of law-enforcement agencies, who usually have to focus mostly on incidents where large sums are involved.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence