Via Threatpost.com -
Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.
The Trojan, known as Heloag, installs itself on PCs after being downloaded from one of two domains: 7zsm.com or elwm.net, according to an analysis by Arbor Networks. Once on the machine, the Trojan loads itself into the Windows directory and installs a registry key that ensures the malware will be loaded during the startup routine.
[...]
The Heloag Trojan effectively gives the attacker complete control of the infected machine, and provides a simple platform for him to load other malicious software.
Arbor researcher Jose Nazario said that the Trojan not only calls out to the command-and-control server in order to download new files and get commands, it also will connect with other infected machines over TCP. This kind of peer-to-peer communication has been seen in a few botnets in the past, including Nugache and others.
In some cases it's used as a form of command-and control, with the peers passing commands or updated executables to one another. This can serve either as a backup for the main, centralized C&C structure, or as the primary C&C mechanism, making it more difficult for researchers or ISPs to identify and take down the controlling machines.
Nazario said that in the case of Heloag, it's unclear what the peer-to-peer communications are being used for.
No comments:
Post a Comment