Once launched, the malware will install itself in the WINDOWS directory where it installs a registry key to ensure that it loads on startup.
Security researchers at Arbor Networks researchers have discovered a new botnet that compromises machines infected with the Heloag Trojan that is specifically designed to manage the downloading and installation of a spectrum of additional malicious software.
“Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC,” say researcher Jose Nazario.
The way it works is that the trojan is downloaded from either 7zsm.com or elwm.net. Once on an infected PC, it then install itself in the WINDOWS directory.
Names observed include:
- C:\WINDOWS\csrse.exe
- C:\WINDOWS\ThunderUpdate.exe
- C:\WINDOWS\conme.exe
The malware then installs a registry key to ensure that it loads on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon = [filename]
(Where [filename] refers to the installed filename from above)
It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:
- 01 – initial hello
- 02 – keep alive, idle message
- 03 – download the named file
- 04 – connect to other peers
- 05 – send hostname to server
- 06 – clear
- 07 – close connection
Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010.
Nazario said that the Trojan not only calls out to the command-and-control server in order to download new EXEs to load onto the infected PC, it will also connect with other infected machines over TCP.
“It’s unclear what the purpose of this is, but it appears to be some form of peer-to-peer,” adds Nazario.