Some more information on the Hexzone botnet has come my way, mostly from FireEye’s Atif Mushtaq and Paul Ferguson’s hairdresser (don’t ask!).
Atif also mentions the association with ransomware: the malware is installed as a Browser Helper Object (BHO) on the victim’s machine, and hijacks browsing sessions, taking the victim to a page hosting pornography. The victim is instructed to send an SMS (text) message. The attacker’s "ransom" is the amount withdrawn from the sender’s balance and transferred to the owner of the number it references, in order to remove the pornographic content.
However, Pierre-Marc has also sent me a screenshot which is similar to another version, which attempts to lock the desktop. The ransom mechanism is similar, however: the victim is instructed to send a text message to the number given, then enter the code that’s returned to them.
While all the examples I’ve seen so far have been in Russian, Atif notes that there seem to be equivalent SMS short codes or room numbers for other countries including Ukraine, Kazakhstan and Germany.
As Pierre-Marc has already noted, the C&C (Command and Control) server is registered to an address in Watford, in the UK. However, the registrant appeared to believe that Watford is in London… The server hosts a number of other domains owned by someone with a very Russian name.
Perhaps the most interesting part of Atif’s very informative blog is that he offers a possible explanation as to the disparity between Finjan’s estimate of the size of the botnet and the observations of ourselves and FireEye, suggesting a much less dramatic size and rate of spread. It looks as if URLs listed in Finjan’s articles include C&C servers for botnets associated with other malware. This suggests that the count includes zombies from a number of other botnets, grouped together because a central management system is being used to control them all. This makes sense: a similar hierarchical structure is used by a number of better-known botnets such as Rustock, and I’ve believed for a while that the one-named-bot-per-botnet model is becoming almost as misleading as the one-name-per-variant model.
Don’t panic: the sky isn’t falling. But the Win32/Hexzone approach does show a continuing trend among cyber-criminals towards stealing small sums from lots of people as alternatives to high-profile, high-intensity attacks on big companies and sites. One of the advantages of this approach is that it’s less likely to attract the attention of law-enforcement agencies, who usually have to focus mostly on incidents where large sums are involved.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, We Live Security