Hiloti: the (bot)master of disguise

From Botnets.fr
Revision as of 15:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Hiloti: the (bot)master of disguise
Botnet Bredolab
Malware Hiloti
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date / November 8, 2010
Editor/Conference Fortinet
Link http://blog.fortinet.com/hiloti-the-botmaster-of-disguise/ blog.fortinet.com (blog.fortinet.com Archive copy)
Author Patrick Yu


Some interesting DNS queries were captured earlier on while Patrick Yu was analyzing a Hiloti sample downloaded from a Bredolab server. Both Hiloti and Bredolab are bots that download and install other malware pieces on the infected computer they run on (for financial gain, more on this below).

Here’s the actual DNS query: 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com

This apparently invalid hostname surprisingly resolved to, which is also the nameserver responsible for the a4h9uploading.com domain. Very plausibly, what this request means is that the Hiloti botmaster is using this custom DNS server to receive information from its bots. And this information could very well be a “successful installation” message, as well as an ID to identify the “affiliate” responsible for the installation (in this case, Bredolab).

Many malware pieces today have such a reporting mechanism, in order to inform their masters about what has been successfully installed and by whom; this enables a pay-per-install (PPI) business model, where affiliates receive payment proportional to the number of malware installs they performed. But while we have seen many ways of reporting this data, using legitimate DNS queries is indeed a discrete way to do so…

The bot then downloaded some encrypted files from a free file-hosting server:


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permittedBFR921,
   editor = {Fortinet},
   author = {Patrick Yu},
   title = {Hiloti: the (bot)master of disguise},
   date = {08},
   month = Nov,
   year = {},
   howpublished = {\url{http://blog.fortinet.com/hiloti-the-botmaster-of-disguise/ blog.fortinet.com}},