Another Big Botnet

Another Big Botnet

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today. The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today. The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today.

The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command and control server using the HTTP protocol.  The malware lets an attacker control your computer and do whatever he wants with it.  It can be used to send spam, launch a denial of service attack or install other malware.  The variants we have analyzed use a custom packer that makes multiple calls to graphical user interface API, probably to fool emulators and analysts into thinking they are dealing with a standard application. 

Win32/Hexzone.AP seems to be distributed from a server located in the United Kingdom.  Infected computers also communicate with a command and control server located in that same country.  Both servers use domain names that have been registered in Russia.  We have seen Win32/Hexzone.AP install RansomWare in Russian, meaning that its victims are probably from this area.

This threat has not attracted a lot of attention from our analysts because we have good generic detection for this threat.  Secondly, we have not seen a lot of activity from this Trojan on ThreatSense.  Win32/Hexzone.AP and the other variants of this family do not appear in the list  of 20 most prevalent malware.  So far, this family has only been detected about 140,000 times over the last week, which is a very small number compared to 16 million detections of malware using Autorun (INF/Autorun heuristic) or 2 million for Win32/Conficker during the same period of time.

Update: As explained below, the detection numbers quoted here shouldn’t be seen as any form of absolute infection statistic, as they simply represent instances where known malware has been flagged by our software. Apart from the usual honeytraps of various types, we also have a data collection system that receives data from some of our customers’ machines (it isn’t compulsory and it doesn’t affect performance!) and provides invaluable threat-tracking information. When we pass this on, though, we normally do so as percentages, not as raw numbers, which can be misleading. We’ll be more careful about doing that in the future: sorry for any confusion!

Pierre-Marc Bureau
Senior Researcher

Discussion