Firstly, here’s a little extra information from our lab in Slovakia.
They report that the variants they have analyzed use a custom packer that makes multiple calls to the graphical user interface API (Application Programming Interface, presumably in order to fool emulators and analysts into thinking they are dealing with a standard application. The Hexzone family has been with us for quite a while, and ESET has developed over that time a pretty effective generic detection algorithm for existing and new variants: hence the fact that our scanners were one of the few to detect Win32/Hexzone.AP proactively at the time Finjan first made their announcement.
However, as we’ve previously mentioned, our threat tracking system ThreatSense.Net® doesn’t suggest that Hexzone is responsible all by itself for the 1.9 million botnet that Finjan claim to have seen.
Atif Mushtaq, whom we cited at length in a later blog, has also made a convincing case in his responses to the first blog that "Hexzone along with other trojan like Win32.AutoIt seems only the secondary download." He also talked with representatives of Finjan at RSA, but they were unwilling or unable to tell him the name of the original bot that downloaded the other malware associated with this incident, claiming that they couldn’t do so because they were working with law enforcement agencies.
In the meantime, Russian readers may be interested to know that (as we’ve learned from Richard Wang of Sophos) that Dr. Web have produced a tool that can work out the unlock code generated by ransomware also associated with this group of threats.
Author David Harley, ESET