The where and why of Hlux
(Publication) Google search: [1]
| The where and why of Hlux | |
|---|---|
| |
| Botnet | Hlux, Gbot, Virut, Bredolab |
| Malware | Hlux_(bot), TDSS |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | P2P |
| Date | 2012 / February 15 2012 |
| Editor/Conference | Kaspersky lab |
| Link | http://www.securelist.com/en/blog/663/The where and why of HLUX (Archive copy) |
| Author | Sergey Golovanov |
| Type | |
Abstract
“ This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?
Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.
The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR877,
editor = {Kaspersky lab},
author = {Sergey Golovanov},
title = {The where and why of Hlux},
date = {15},
month = Feb,
year = {2012},
howpublished = {\url{http://www.securelist.com/en/blog/663/The_where_and_why_of_HLUX}},
}