Hiloti: the (bot)master of disguise
(Publication) Google search: [1]
Hiloti: the (bot)master of disguise | |
---|---|
Botnet | Bredolab |
Malware | Hiloti |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | / November 8, 2010 |
Editor/Conference | Fortinet |
Link | http://blog.fortinet.com/hiloti-the-botmaster-of-disguise/ blog.fortinet.com (blog.fortinet.com Archive copy) |
Author | Patrick Yu |
Type |
Abstract
“ Some interesting DNS queries were captured earlier on while Patrick Yu was analyzing a Hiloti sample downloaded from a Bredolab server. Both Hiloti and Bredolab are bots that download and install other malware pieces on the infected computer they run on (for financial gain, more on this below).
Here’s the actual DNS query: 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com
This apparently invalid hostname surprisingly resolved to 95.211.131.67, which is also the nameserver responsible for the a4h9uploading.com domain. Very plausibly, what this request means is that the Hiloti botmaster is using this custom DNS server to receive information from its bots. And this information could very well be a “successful installation” message, as well as an ID to identify the “affiliate” responsible for the installation (in this case, Bredolab).
Many malware pieces today have such a reporting mechanism, in order to inform their masters about what has been successfully installed and by whom; this enables a pay-per-install (PPI) business model, where affiliates receive payment proportional to the number of malware installs they performed. But while we have seen many ways of reporting this data, using legitimate DNS queries is indeed a discrete way to do so…
The bot then downloaded some encrypted files from a free file-hosting server:
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permittedBFR921, editor = {Fortinet}, author = {Patrick Yu}, title = {Hiloti: the (bot)master of disguise}, date = {08}, month = Nov, year = {}, howpublished = {\url{http://blog.fortinet.com/hiloti-the-botmaster-of-disguise/ blog.fortinet.com}}, }