Hodprot: hot to bot

From Botnets.fr
Revision as of 04:16, 20 August 2015 by Eric.freyssinet (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Hodprot: hot to bot
Hodprot hot to bot.png
Botnet Hodprot, Carberp, Sheldor, RDPdoor, Shiz
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2011 / 2011-10-05
Editor/Conference ESET
Link http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf go.eset.com (PDF) (go.eset.com (PDF) Archive copy)
Author Eugene Rodionov, Aleksandr Matrosov, Dmitry Volkov


As discussed in our presentation at CARO2011 on "Cybercrime in Russia: Trends and issues", the number of Russian cybercrimes related to financial fraud and stealing money from bank accounts increased

significantly in the last year. Moreover we can see accelerated growth in the number of cybercrimes related to banking fraud in the second half of 2011. The most common malware families involved in incidents of banking fraud in Russia are:

  • Win32/Carberp
  • Win32/Shiz
  • Win32/Hodprot
  • Win32/Sheldor
  • Win32/RDPdoor

Here are the major regions of distribution of these banking Trojans:

  1. Russia
  2. Ukraine
  3. Kazakhstan

Attackers have focused on these countries because similar banking software and mechanisms for financial transactions are in use there. In the late spring and early summer of 2011, according to statistics of incidents provided by Group-IB, one of the most-used families of malware is Win32/Hodprot. This is an interesting family of Trojans which merits further discussion: it implements many sophisticated algorithms and anti-forensic mechanisms.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR1023,
   editor = {ESET},
   author = {Eugene Rodionov, Aleksandr Matrosov, Dmitry Volkov},
   title = {Hodprot: hot to bot},
   date = {05},
   month = Oct,
   year = {2011},
   howpublished = {\url{http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf go.eset.com (PDF)}},