This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?
Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.
The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding.
Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.
Why?
As we already known, the bot distributes spam and has the ability to conduct DDoS attacks. In addition, we have discovered that:
- The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
- The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
- The bot has a built-in Bitcoin wallet theft feature.
- The bot also includes a Bitcoin miner feature.
- The bot can operate in proxy server mode.
- The bot searches hard drives for files containing email addresses.
- The bot has a sniffer for intercepting email, FTP and HTTP session passwords.
Part of the HLUX code that interacts with FTP clients
Part of the HLUX code used to steal Bitcoin wallets
Where does it come from?
The bot is loaded onto users’ computers from numerous sites hosted on fast flux domains primarily in the .EU domain zone. The bot installs small downloaders (~47 KB) on the system. These downloaders have been detected on computers in the GBOT and Virut botnets. The downloaders can be loaded to computers within minutes of a machine being infected by the malware mentioned above (GBOT and Virut). This distribution method hinders the detection of the primary bot distribution source.
Bot installations have also been detected during drive-by attacks that make use of the Incognito exploit kit.
The number of computers in the new HLUX botnet is estimated to be several thousand, based on the numbers in the approximately 8000 IP addresses detected in operations conducted via P2P.
Where’s it going?
As before, the HLUX botnet primarily receives commands to distribute spam. However, another malicious program, which we wrote about here, is also being installed on the botnet. Its main functionality is fraudulent manipulation of search engines along the lines of TDSS.
The passwords harvested from FTP are used to place malicious Javascripts on websites that redirect users of the compromised sites once again to Incognito exploit kit. Exploits for the CVE-2011-3544 vulnerability are primarily used when the bot is installed during these attacks. In other words, HLUX implements a cyclical distribution scheme just like that used by Bredolab.
Summary
The HLUX botnet, both old and new, is a classic example of organized crime in action on the Internet. The owners of this botnet take part in just about every type of online scam going: sending spam, theft of passwords, manipulation of search engines, DDoS etc.
It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them. This is a difficult task because security companies face different federal policies and legislation in various countries where botnets are located. This causes the law enforcement investigations and legal process to be a long and arduous process.
We’ll continue monitoring this particular botnet and keep you up to speed with any technical developments.
P.S. We noticed this on one fast flux domain that was earlier spreading HLUX:
It’s not yet clear whether this is the control panel of the HLUX botnet.
The where and why of HLUX