RSS

New P2P Trojan Discovered

15 Apr

Once launched, the malware will install itself in the WINDOWS directory where it installs a registry key to ensure that it loads on startup.

Security researchers at Arbor Networks researchers have discovered a new botnet that compromises machines infected with the Heloag Trojan that is specifically designed to manage the downloading and installation of a spectrum of additional malicious software.

“Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC,” say researcher Jose Nazario.

The way it works is that the trojan is downloaded from either 7zsm.com or elwm.net. Once on an infected PC, it then install itself in the WINDOWS directory.

Names observed include:

  • C:\WINDOWS\csrse.exe
  • C:\WINDOWS\ThunderUpdate.exe
  • C:\WINDOWS\conme.exe

The malware then installs a registry key to ensure that it loads on startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon = [filename]

(Where [filename] refers to the installed filename from above)

It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:

  • 01 – initial hello
  • 02 – keep alive, idle message
  • 03 – download the named file
  • 04 – connect to other peers
  • 05 – send hostname to server
  • 06 – clear
  • 07 – close connection

Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010.

Nazario said that the Trojan not only calls out to the command-and-control server in order to download new EXEs to load onto the infected PC, it will also connect with other infected machines over TCP.

“It’s unclear what the purpose of this is, but it appears to be some form of peer-to-peer,” adds Nazario.

 
Leave a comment

Posted by on April 15, 2010 in Computers

 

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: