The where and why of Hlux

Jump to navigation Jump to search

(Publication) Google search: [1]

The where and why of Hlux
Botnet Hlux, Gbot, Virut, Bredolab
Malware Hlux_(bot), TDSS
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol P2P
Date 2012 / February 15 2012
Editor/Conference Kaspersky lab
Link where and why of HLUX (Archive copy)
Author Sergey Golovanov


This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?

Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR877,
   editor = {Kaspersky lab},
   author = {Sergey Golovanov},
   title = {The where and why of Hlux},
   date = {15},
   month = Feb,
   year = {2012},
   howpublished = {\url{}},