Hodprot is a Hotshot

[In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 — one of the best presentations of the workshop, in my unbiased opinion ;-) — Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence. But why don’t I let them tell you about it? – DH]

Statistics on bank fraud provided by Group-IB (our partners in Russia dealing with cybercrime investigation) are in accordance with our own, indicating that the period when the bot was most active was the spring of 2011.

Figure 1: Detection statistics from ThreatSense.NET (01.01.2010-30.06.2011)

The main purpose of the bot is banking fraud: it supports additional modules and trojan programs in order to target the most popular online Russian banking systems (BSS, IBank, Inist). This suggests that Win32/Hodprot targets Russia and the former Soviet republics.

Here are self-explanatory statistics relating to the bot's distribution by region:

Figure 2 Statistics by region from ThreatSense.NET (01.01.2010-30.06.2011)

In every case of bank fraud connected with Win32/Hodprot, a great deal of money has been stolen. On average, each fraudulent operation pulls in several hundred thousand USD.

More interestingly, the Win32/Hodprot botnet is connected to other botnets working in the field of bank fraud in Russia. In particular, it is Win32/Hodprot that was used to download Win32.Sheldor, Win32/RDPdoor and Win32/Platcyber onto the victims’ machines. The period of time when Win32/Sheldor and Win32/RDPdoor appear to have been most active matches that of Win32/Hodprot.

Taking into account its implementation details Win32/Hodprot is a very complex threat, designed to deeply penetrate into an infected system and stay hidden for a long time. Here is the algorithm for infecting the system:

The main modules of the malware are stored in the system registry (HKLMSOFTWARESettings) rather than being stored as files in the file system. Here are the values of the registry key for storage of the payload:

  • ErrorControl
  • CoreSettings
  • HashSeed
  • PnPData

 This makes forensics much more difficult: it is very difficult to find the malicious payload since there is no corresponding file in the file system. In order to protect the payload’s privacy, it relies on an intricate customized encryption algorithm. In addition the bot employs quite a complex technique in order to survive a reboot. In the next figure you can see the protocol by which it communicates with the C&C (Command and Control) server and downloads the payload.

Win32/Hodprot uses advanced techniques to infect the system and stay hidden which distinguish it from other malware. We will release a detailed analysis of the threat shortly.

David Harley, Aleksandr Matrosov, Eugene Rodionov and Dmitry Volkov

Author David Harley, ESET

  • Yegor

    Excuse me for offtop, but what's the difference between blog.eset.com and eset.com/blog (“Hodprot is a Hotshot” is not shown there, no pics of the authors etc.)?

    • David Harley

      blog.eset.com is the blog site maintained by the web team in ESET North America. The other page is maintained by the web team in Europe, but it isn’t an exact mirror and it isn’t maintained in real-time, the tag cloud is completely different, and so on. Those of us with European IPs are directed to eset.com, which links to that version of the blog. If you link to eset.com/us/ you’ll see the home page as they see it in the US, and that does link to blog.eset.com.

      Also, there doesn’t seem to be a link to the white papers page from eset.com, or to the Threat Center.

Follow us

Copyright © 2017 ESET, All Rights Reserved.