Hexzone Hotzone

Some more information on the Hexzone botnet has come my way, mostly from FireEye’s Atif Mushtaq and Paul Ferguson’s hairdresser (don’t ask!).

Atif also mentions the association with ransomware: the malware is installed as a Browser Helper Object (BHO) on the victim’s machine, and hijacks browsing sessions, taking the victim to a page hosting pornography. The victim is instructed to send an SMS (text) message. The attacker’s "ransom" is the amount withdrawn  from the sender’s balance and transferred to the owner of the number it references, in order to remove the pornographic content.

However, Pierre-Marc has also sent me a screenshot which is similar to another version, which attempts to lock the desktop. The ransom mechanism is similar, however: the victim is instructed to send a text message to the number given, then enter the code that’s returned to them.

While all the examples I’ve seen so far have been in Russian, Atif notes that there seem to be equivalent SMS short codes or room numbers for other countries including Ukraine, Kazakhstan and Germany.

As Pierre-Marc has already noted, the C&C (Command and Control) server is registered to an address in Watford, in the UK. However, the registrant appeared to believe that Watford is in London… The server hosts a number of other domains owned by someone with a very Russian name.

Perhaps the most interesting part of Atif’s very informative blog is that he offers a possible explanation as to the disparity between Finjan’s estimate of the size of the botnet and the observations of ourselves and FireEye, suggesting a much less dramatic size and rate of spread. It looks as if URLs listed in Finjan’s articles include C&C servers for botnets associated with other malware. This suggests that the count includes zombies from a number of other botnets, grouped together because a central management system is being used to control them all. This makes sense: a similar hierarchical structure is used by a number of better-known botnets such as Rustock, and I’ve believed for a while that the one-named-bot-per-botnet model is becoming almost as misleading as the one-name-per-variant model.

Don’t panic: the sky isn’t falling. But the Win32/Hexzone approach does show a continuing trend among cyber-criminals towards stealing small sums from lots of people as alternatives to high-profile, high-intensity attacks on big companies and sites. One of the advantages of this approach is that it’s less likely to attract the attention of law-enforcement agencies, who usually have to focus mostly on incidents where large sums are involved.

Director of Malware Intelligence


Author David Harley, ESET

  • Dear ESET,

    Finjan’s blog post shows VirusTotal report and indicates on Hexzone as an executable the bot was instructed to download from the command center.

    Hexzone is not the bot itself but one out of many executables that the bot downloaded and executed on the infected PCs.

    Taken from the blog post:
    “This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan.”

    As for the number of infected PCs:
    The 1.9M number is very accurate. The entire DB was available for inspection where unique records were identified (computer names, IPs, region). Commands were sent to the entire net or to subsets (regional).

    Your comment “Finjan has been real aggressive about spreading FUD” is unprofessional :-(


    • Dear Finjan.

      Thank you for your clarification. I have, of course, read your blog. Obviously, I’m aware of the VirusTotal report you cited. As far as I know, no-one at ESET (or anyone commenting on these blogs) has accused you of fabricating the 1.9 million number. And I certainly haven’t said anything like “Finjan has been real aggressive about spreading FUD” and would be most interested to know why you think I did.

      David Harley, speaking for himself, not ESET.

Follow us

Copyright © 2017 ESET, All Rights Reserved.