In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.
Similar to last month's focus on Win32/Pramro
, Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing a downloader such as variants of Worm:Win32/Gamarue
, also mentioned in a previous blog
Win32/Hioles may be present and execute in one of three ways:
- as a direct action executable (.EXE)
- as a dynamic link library (.DLL)
- as a registered SSP (Security Support Provider)
When run, Win32/Hioles commonly drops its payload into the Application Data (%AppData%) folder as an executable with a misleading file name such as 'KB995202.exe' and modifies the registry to run the .EXE at Windows login. The trojan could drop other code into the %TEMP% folder and execute it, as shown in following figure:
Figure 1 - Win32/Hioles visible in Windows Task Manager
Running as a process named 'svchost.exe' has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, 'rundll32.exe' is used to load the trojan.
One advanced method that is rarely used in other malware families is to register the bootstrap DLL under the "%SystemRoot%\system32" folder as a Security Support Provider (SSP) so that it may be loaded into processes that try to initialize the SSPs. If the bootstrap is loaded by 'rundll32.exe' from the 'Run' key, the payload will be injected into current user's 'explorer.exe' process, and in the case of being loaded as an SSP, the payload is executed directly in the current process space.
The three installation and execution methods used by Win32/Hioles are performed to conceal its execution, and maximize its installation success rate, for the sole purpose of providing multi-protocol (Socks4, Socks5, HTTP, HTTPS) proxy services to its C&C server. The payload is designed to be concentrated, and can be as small as 9 Kb in file size. Once loaded, it generates a unique ID for the affected system and initiates communication by sending the ID to the C&C server. The C&C server can instruct the malware to update the configured C&C server address, initiate a reverse proxy, drop the connection and other actions.
In the wild, we observed the malware communicating as a Socks5 proxy with a C&C server. The following is an example of a communication packet that instructs the malware to connect to the port 1002 (0x03EA in hex):
Figure 2 - Win32/Hioles communication packet
Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.
In the above communications, Win32/Hioles functioned as a regular Socks5 proxy server. The HTTP traffic we observed included registering email accounts, browsing various websites and sending spam email messages. It appears as though the authors behind this botnet may be selling the network of infected computers, as evidenced by the C&C server in the above case being associated with an online proxy server merchant.
Win32/Pluzoks & Win32/Yeltminky
Pluzoks is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware to an affected computer (see our description
for more information).
Yeltminky is a worm that spreads by making copies of itself on all available drives. The worm changes the start page for Internet Explorer and also communicates with a remote server (see our description
for more information).
And so concludes another round of "What's in MSRT?"... The MMPC thanks you for reading and reminds you to stay safe on the roadway of the Internets.
The following are SHA1 examples for malware mentioned in this blog.
-- Shawn Wang, MMPC