Archive for the ‘Win32/Hioles’ Category

MSRT March: Three Hioles in one

March 15th, 2012 No comments

​In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.


Similar to last month’s focus on Win32/Pramro, Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing a downloader such as variants of Worm:Win32/Gamarue, also mentioned in a previous blog.
Win32/Hioles may be present and execute in one of three ways:
  • as a direct action executable (.EXE)
  • as a dynamic link library (.DLL)
  • as a registered SSP (Security Support Provider)
When run, Win32/Hioles commonly drops its payload into the Application Data (%AppData%) folder as an executable with a misleading file name such as ‘KB995202.exe‘ and modifies the registry to run the .EXE at Windows login. The trojan could drop other code into the %TEMP% folder and execute it, as shown in following figure:

Figure 1 – Win32/Hioles visible in Windows Task Manager

Running as a process named ‘svchost.exe‘ has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, ‘rundll32.exe‘ is used to load the trojan.

One advanced method that is rarely used in other malware families is to register the bootstrap DLL under the “%SystemRoot%\system32” folder as a Security Support Provider (SSP) so that it may be loaded into processes that try to initialize the SSPs. If the bootstrap is loaded by ‘rundll32.exe’ from the ‘Run’ key, the payload will be injected into current user’s ‘explorer.exe’ process, and in the case of being loaded as an SSP, the payload is executed directly in the current process space.
The three installation and execution methods used by Win32/Hioles are performed to conceal its execution, and maximize its installation success rate, for the sole purpose of providing multi-protocol (Socks4, Socks5, HTTP, HTTPS) proxy services to its C&C server. The payload is designed to be concentrated, and can be as small as 9 Kb in file size. Once loaded, it generates a unique ID for the affected system and initiates communication by sending the ID to the C&C server. The C&C server can instruct the malware to update the configured C&C server address, initiate a reverse proxy, drop the connection and other actions.
In the wild, we observed the malware communicating as a Socks5 proxy with a C&C server. The following is an example of a communication packet that instructs the malware to connect to the port 1002 (0x03EA in hex):
Win32/Hioles communication packet

Figure 2 – Win32/Hioles communication packet

Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.

In the above communications, Win32/Hioles functioned as a regular Socks5 proxy server. The HTTP traffic we observed included registering email accounts, browsing various websites and sending spam email messages. It appears as though the authors behind this botnet may be selling the network of infected computers, as evidenced by the C&C server in the above case being associated with an online proxy server merchant.

Win32/Pluzoks & Win32/Yeltminky
Pluzoks is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware to an affected computer (see our description for more information).
Yeltminky is a worm that spreads by making copies of itself on all available drives. The worm changes the start page for Internet Explorer and also communicates with a remote server (see our description for more information).
And so concludes another round of “What’s in MSRT?“… The MMPC thanks you for reading and reminds you to stay safe on the roadway of the Internets.
The following are SHA1 examples for malware mentioned in this blog.

— Shawn Wang, MMPC

There’s a cream for that

March 12th, 2012 No comments

The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included:

To: (email address)
CC: (email address),…
Subject: Your ex sent me this pciture of you.
Hey (email address),
Your ex sent me this picture claiming it’s you. Is it really so? You probaly should see a doctor:) They can cure it now:).

The attached file is a ZIP archive that contains an executable file named “IMG04958.exe” (SHA1: 51dd01ab8f18bc5e7875526db241d4ea79c136e8), detected as Worm:Win32/Gamarue.E.

Scanning other messages, I noticed three additional spam campaigns using different subject lines and message body text:

  • “I got you busted bro. You won’t deny the obvious now. Check the photo in attachment .”
  • “I’m sorry man you seem to be in trouble. My girfriend got this picture of you yesterday and sent to your wife. Hope you can handle it”
  • “I got your picture yesterday, who is that girl next to you? In attachment”

The theme of the spam uses a type of social engineering that leverages the shock of allegation to trick the recipient into opening the attached file. If the recipient opens the attached file in an unprotected environment, this Win32/Gamarue variant will try to download other malware.

  • Downloads “888.exe” from IP
    235964da72a80425dfb74efc264fa0ba4d8189c7 – Trojan:Win32/Hioles.C
  • Downloads “sol.exe” from IP
    cfb374ae373f49ed7bf8da92fe725b4eaff5e1a5 – Trojan:Win32/FakeSysdef

Gamarue also communicates with a command and control server on a bot network to perform actions against the infected computer.

It can’t be emphasized enough in our recommendation that you apply an “ointment” (i.e. active security scanning) to help prevent “outbreaks”.

Patrick Nolan, MMPC