Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.
The Trojan, known as Heloag, installs itself on PCs after being downloaded from one of two domains: 7zsm.com or elwm.net, according to an analysis by Arbor Networks. Once on the machine, the Trojan loads itself into the Windows directory and installs a registry key that ensures the malware will be loaded during the startup routine.
It then makes a connection to the C&C server for the botnet,
often on TCP port 8090, to register itself and await commands. Traffic
is usually preceded by a single byte to indicate the message purpose:
- 01 – initial hello
- 02 – keep alive, idle message
- 03 – download the named file
- 04 – connect to other peers
- 05 – send hostname to server
- 06 – clear
- 07 – close connection
The Heloag Trojan effectively gives the attacker complete control of the infected machine, and provides a simple platform for him to load other malicious software.
Arbor researcher Jose Nazario said that the Trojan not only calls out to the command-and-control server in order to download new files and get commands, it also will connect with other infected machines over TCP. This kind of peer-to-peer communication has been seen in a few botnets in the past, including Nugache and others.
In some cases it’s used as a form of command-and control, with the peers passing commands or updated executables to one another. This can serve either as a backup for the main, centralized C&C structure, or as the primary C&C mechanism, making it more difficult for researchers or ISPs to identify and take down the controlling machines.
Nazario said that in the case of Heloag, it’s unclear what the peer-to-peer communications are being used for.