MSRT March: Three Hioles in one

by Guest Post on March 16, 2012 · 0 comments

in AntiVirus

​In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.

Win32/Hioles

Similar to last month’s focus on Win32/Pramro, Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing a downloader such as variants of Worm:Win32/Gamarue, also mentioned in a previous blog.
Win32/Hioles may be present and execute in one of three ways:
  • as a direct action executable (.EXE)
  • as a dynamic link library (.DLL)
  • as a registered SSP (Security Support Provider)
When run, Win32/Hioles commonly drops its payload into the Application Data (%AppData%) folder as an executable with a misleading file name such as ‘KB995202.exe‘ and modifies the registry to run the .EXE at Windows login. The trojan could drop other code into the %TEMP% folder and execute it, as shown in following figure:
 
Win32/Hioles

Figure 1 – Win32/Hioles visible in Windows Task Manager

Running as a process named ‘svchost.exe‘ has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, ‘rundll32.exe‘ is used to load the trojan.

One advanced method that is rarely used in other malware families is to register the bootstrap DLL under the “%SystemRoot%\system32” folder as a Security Support Provider (SSP) so that it may be loaded into processes that try to initialize the SSPs. If the bootstrap is loaded by ‘rundll32.exe’ from the ‘Run’ key, the payload will be injected into current user’s ‘explorer.exe’ process, and in the case of being loaded as an SSP, the payload is executed directly in the current process space.
 
The three installation and execution methods used by Win32/Hioles are performed to conceal its execution, and maximize its installation success rate, for the sole purpose of providing multi-protocol (Socks4, Socks5, HTTP, HTTPS) proxy services to its C&C server. The payload is designed to be concentrated, and can be as small as 9 Kb in file size. Once loaded, it generates a unique ID for the affected system and initiates communication by sending the ID to the C&C server. The C&C server can instruct the malware to update the configured C&C server address, initiate a reverse proxy, drop the connection and other actions.
 
In the wild, we observed the malware communicating as a Socks5 proxy with a C&C server. The following is an example of a communication packet that instructs the malware to connect to the port 1002 (0x03EA in hex):
 
Win32/Hioles communication packet

Figure 2 – Win32/Hioles communication packet

Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.

In the above communications, Win32/Hioles functioned as a regular Socks5 proxy server. The HTTP traffic we observed included registering email accounts, browsing various websites and sending spam email messages. It appears as though the authors behind this botnet may be selling the network of infected computers, as evidenced by the C&C server in the above case being associated with an online proxy server merchant.

Win32/Pluzoks & Win32/Yeltminky
Pluzoks is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware to an affected computer (see our description for more information).
 
Yeltminky is a worm that spreads by making copies of itself on all available drives. The worm changes the start page for Internet Explorer and also communicates with a remote server (see our description for more information).
 
And so concludes another round of “What’s in MSRT?“… The MMPC thanks you for reading and reminds you to stay safe on the roadway of the Internets.
The following are SHA1 examples for malware mentioned in this blog.
 
Win32/Hioles:
50ef1e136ba4bc7c16246366f471c53455a5a885
d653a8923a1a2bbdafc33b268b78a487f0490b23
27f007e8c5b7177621c4dd3090ddc961c0101172
3f0bb3f3d87851ccd2696062992237e409f73071
 
Win32/Pluzoks:
29ab4c105aed4b0f3544fe147e412fc7ee579e79
c85cb2ada1c6bd7f01fd45c96bfd17068d0c1bb5
efb3efdd92b20bcfdd902e08b900a008adb5eb4a
2bb914e1c61a8207734487fc8d9599734563953d
 
Win32/Yeltminky:
b4a679a2167073f89bdc7d65d49d51cdea243704
0857513860babf3cb82e9e8ff7de908ec161b740
d5540e8717545c7907ff67e87dc847053e66d551

– Shawn Wang, MMPC


Microsoft Malware Protection Center

Leave a Comment

Previous post:

Next post: