The where and why of Hlux

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

The where and why of Hlux
Securelist1.png
Botnet Hlux, Gbot, Virut, Bredolab
Malware Hlux_(bot), TDSS
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol P2P
Date 2012 / February 15 2012
Editor/Conference Kaspersky lab
Link http://www.securelist.com/en/blog/663/The where and why of HLUX (Archive copy)
Author Sergey Golovanov
Type

Abstract

This is not the first time the HLUX botnet has been mentioned in this blog, but there are still some unanswered questions that we’ve been receiving from the media: What is the botnet’s sphere of activity? What sort of commands does it receive from malicious users? How does the bot spread? How many infected computers are there in the botnet?

Before answering the questions it’s important to clarify that the HLUX botnet we previously disabled is still under control and the infected machines are not receiving commands from the C&C, so they’re not sending spam. Together with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech, Inc., Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

The answers below refer to a new version of the HLUX botnet – it’s a different botnet but the malware being used is build using the same HLUX coding. Analysis of a new bot version for the HLUX botnet (md5: 010AC0BFF69EB945108B57B40A4784BE, size: 882176 B) revealed the following information.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR877,
   editor = {Kaspersky lab},
   author = {Sergey Golovanov},
   title = {The where and why of Hlux},
   date = {15},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://www.securelist.com/en/blog/663/The_where_and_why_of_HLUX}},
 }