New P2P Botnet Forming

Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.

Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.

The Trojan, known as Heloag, installs itself on PCs after being downloaded from one of two domains: or, according to an analysis by Arbor Networks. Once on the machine, the Trojan loads itself into the Windows directory and installs a registry key that ensures the malware will be loaded during the startup routine.

It then makes a connection to the C&C server for the botnet,
often on TCP port 8090, to register itself and await commands. Traffic
is usually preceded by a single byte to indicate the message purpose:

  • 01 – initial hello
  • 02 – keep alive, idle message
  • 03 – download the named file
  • 04 – connect to other peers
  • 05 – send hostname to server
  • 06 – clear
  • 07 – close connection

The Heloag Trojan effectively gives the attacker complete control of the infected machine, and provides a simple platform for him to load other malicious software.

Arbor researcher Jose Nazario said that the Trojan not only calls out to the command-and-control server in order to download new files and get commands, it also will connect with other infected machines over TCP. This kind of peer-to-peer communication has been seen in a few botnets in the past, including Nugache and others.

In some cases it’s used as a form of command-and control, with the peers passing commands or updated executables to one another. This can serve either as a backup for the main, centralized C&C structure, or as the primary C&C mechanism, making it more difficult for researchers or ISPs to identify and take down the controlling machines.

Nazario said that in the case of Heloag, it’s unclear what the peer-to-peer communications are being used for.

Suggested articles


  • Anonymous on

    Do not use Administrator accounts while browsing the Internet.

  • Anonymous on

    Are you kidding? P2P botnets have been around since 1999. Admittedly they are allot leaner and less init hooks.

  • Anonymous on

    with UAC enabled, i wonder if these downloads can install automatically.  windows should be able to detect when any sofware tries to install itself, and especially a program that authorizes adminstrative permissions.


  • Anonymous on

    Since I am not at all technical, all I want to know is that Kaspersky is on top of these threats in terms of detecting and neutralizing them?

  • Jim on

    As another commenter said: Do not use the administrator account for anything other than administrative tasks. If you don't know how to setup a regular user account, learn how - use your favorite search engine and explore your options and learn how to set one up. I cannot stress how much malicious software you can avoid by simply not using the computer as an administrator. You can avoid malicious software that your anti-virus program misses by not being logged in when the virus tries to execute itself.
  • The Olde Pharte on

    OK folks, it's the Olde Pharte here.  I realize I am wayyyy over the hill.  But I have sort of figured out a wee bit about computers.  I signed up with Mozilla/FIrefox/Thunderbird   & Kaspersky.  Now I have no idea what an administrator account is!  What is it?  Doesn't Kaspersky keep my computer OK from these bad puppies?  How do little ol' ladies like me keep our sanity & our computers integrity intact when we are not Computer Bunnies?  Are you saying I should not do any banking online with my computer?  I realize my 'widow's mite' is probably laughable to anyone wanting to get rich.  But it's my pension & I have to stretch it as best as I can.  Do these P2P Botnet (whatever they are) folks mess with little nobody accounts too?  What to do?

  • Anonymous on


     I would like to know...

    "Is it Still  "UN-SAFE" to download Updates of Adobe?  "

    I keep getting  Messages to UpDATE!

    Thank you.


  • Anonymous on

    Do you mean the administrator account specifically? Or any user account with admin rights?

  • Anonymous on

    Any account with admin rights gives access to the windows folder as well as other administrative shares that malware uses to propogate. So in this case "Administrator" isn't the account name but the account type.

  • Anonymous on

    Unfortunately you don't need administrator rights for a lot of these things to propagate. They are becoming more and more clever in circumventing security. Certainly do what you can to help mitigate the impact of these invaders, but don't think non-elevated users are not impacted.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.