Another Big Botnet

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today.

The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command and control server using the HTTP protocol.  The malware lets an attacker control your computer and do whatever he wants with it.  It can be used to send spam, launch a denial of service attack or install other malware.  The variants we have analyzed use a custom packer that makes multiple calls to graphical user interface API, probably to fool emulators and analysts into thinking they are dealing with a standard application. 

Win32/Hexzone.AP seems to be distributed from a server located in the United Kingdom.  Infected computers also communicate with a command and control server located in that same country.  Both servers use domain names that have been registered in Russia.  We have seen Win32/Hexzone.AP install RansomWare in Russian, meaning that its victims are probably from this area.

This threat has not attracted a lot of attention from our analysts because we have good generic detection for this threat.  Secondly, we have not seen a lot of activity from this Trojan on ThreatSense.  Win32/Hexzone.AP and the other variants of this family do not appear in the list  of 20 most prevalent malware.  So far, this family has only been detected about 140,000 times over the last week, which is a very small number compared to 16 million detections of malware using Autorun (INF/Autorun heuristic) or 2 million for Win32/Conficker during the same period of time.

Update: As explained below, the detection numbers quoted here shouldn’t be seen as any form of absolute infection statistic, as they simply represent instances where known malware has been flagged by our software. Apart from the usual honeytraps of various types, we also have a data collection system that receives data from some of our customers’ machines (it isn’t compulsory and it doesn’t affect performance!) and provides invaluable threat-tracking information. When we pass this on, though, we normally do so as percentages, not as raw numbers, which can be misleading. We’ll be more careful about doing that in the future: sorry for any confusion!

Pierre-Marc Bureau
Senior Researcher

Author Pierre-Marc Bureau, ESET

  • gh

    The entire Internet in Russia these banners


    detected about 140,000

    missed meleony

    • That 140,000 doesn’t refer to the total number of Hexzone-infected machines. It refers to the number of attempts to infect machines protected by ESET products. ESET users can opt to allow the software to “call home” when it recognizes malware. In other words, these figures provide some indication of how active a given malicious program is compared to other malicious code, not overall figures. In this case, they simply suggest that Hexzone is out there in far lower volumes than some of our other detections.

      If you check out, you’ll find a likely explanation for the disparity between the dramatic size and rate of spread figures suggested by Finjan compared to the impact that we and others are seeing.

  • henk diemer

    Hi Pierre,

    Can you point me to that list of 20 most prevalent malware?
    ( I think it is not this

    And how reliable is that as I am curious of course if this list is relevant or not for me and how to interpret this.
    Others catch more than the 34 you seem to list above BTW)

    Henk Diemer ( CISSp, CISM)

    • Hi, Henk. Virus Radar only measures email-borne malware, and doesn’t generally include malware found on malicious web sites referenced by malicious messages. Malicious attachments have been decreasing dramatically in volume for years now, and very little new malware is disseminated that way. Also, the page you’re looking at is only showing the email-borne malware flagged over the last 24 hours: it doesn’t represent in any way the totality of what we detect.

      I’m afraid the resource Pierre was referring to isn’t publicly available in realtime, though we do use the figures – as percentages and indicators, not absolute figures – in our monthly/annual/semi-annual reports. That’s partly because it is very easy for people to misinterpret.

  • Thanks for your comments gh and Henk.

    I have to clarify the situation regarding the number of detection I have included in my previous blog post. It appears to bring more confusion than valuable information to our readers.

    Instead of total number of detection, I should have used the ratio of detection. For the Win32/Hexzone family, this ratio is 0.1%, that is very small compared to Conficker which receives almost 20%.

  • I think we are mis-reading the Finjan’ article here , here is what Finjan said…

    “This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan.” // Hexzone

    They did not give any detail about the parent dropper (unnamed botnet of size 1.9 million) which downloaded HexZone. It’s so confusing that all people started thinking this botnet as the HexZone……Hexzone along with other trojan like Win32.AutoIt seems only the secondary download..

    • Thanks for that. Yes, I think that’s probably a more accurate way of looking at it.

  • Today, I visited RSA and got a chance to talk to Finjan’s representatives there. I talked to them about the same confusion but they refused to comment on this topic saying, they are working with law enforcement agencies so they cannot reveal more information at this moment. When I asked them at least tell me the name of this mysterious botnet. They said we have already mentioned botnet name in our article…I said I am asking about malware which downloaded Hexzone not hexzone itself stated by you guys….

    Guy there thought for a second and said again..
    We are working with law enforcement agencies, so cannot release more information at this :)

    I am relieved now; I am not the only one who is confused here…;)

  • jcanto

    this situation indeed deserves the holy trinity of acronyms

    • I couldn’ t possibly comment. Though according to Finjan I already have. ;-)

Follow us

Copyright © 2017 ESET, All Rights Reserved.