Tuesday, April 13, 2010

New P2P Botnet Forming

Via Threatpost.com -

Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.

The Trojan, known as Heloag, installs itself on PCs after being downloaded from one of two domains: 7zsm.com or elwm.net, according to an analysis by Arbor Networks. Once on the machine, the Trojan loads itself into the Windows directory and installs a registry key that ensures the malware will be loaded during the startup routine.


The Heloag Trojan effectively gives the attacker complete control of the infected machine, and provides a simple platform for him to load other malicious software.

Arbor researcher Jose Nazario said that the Trojan not only calls out to the command-and-control server in order to download new files and get commands, it also will connect with other infected machines over TCP. This kind of peer-to-peer communication has been seen in a few botnets in the past, including Nugache and others.

In some cases it's used as a form of command-and control, with the peers passing commands or updated executables to one another. This can serve either as a backup for the main, centralized C&C structure, or as the primary C&C mechanism, making it more difficult for researchers or ISPs to identify and take down the controlling machines.

Nazario said that in the case of Heloag, it's unclear what the peer-to-peer communications are being used for.

No comments:

Post a Comment