Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

Hexzone, RansomWare and, Finjan

At RSA 2009 today, Finjan announced that their research team has discovered a new botnet which they believe has already infiltrated about 1.9 million computers across the globe.  Although Finjan did not mention the name of the botnet in their blog post, VirusTotal scan results (for one of the secondary downloads) shown in their article identified it as the dropper for a known Trojan called Hexzone.

Hexzone coincidentally caught my attention while I was gathering material for my recent article about some emerging ransomware.  Hexzone has recently been seen downloading Trojan.Ransomlock, which blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system.  For details please refer to Ransomware on the loose..

In this post, I will try to shed light on some missing details about Hexzone. Then I will show Hexzone's relationship with some other known malware, and in the end I will discuss my thoughts on the size of this un-named botnet.

Here is my initial analysis of the Hexzone sample mentioned in Finjan's report. Normally Hexzone resides on the victim machine in the form of a 'Browser Helper Object'.  The reason it injects itself into the browser as a plug-in is to hijack the user's browsing sessions in order to blackmail them.  Here is how it happens, as the user tries to browse any web page from the infected PC, this plug-in leads the user to a fake page, displaying porn contents. Along with porn contents a message is displayed in the Russian language.

Translated from Russian:

"to delete (porn contents) select country and sends code 3981134 to room number (different for each country)."

As I explained in my last article, these SMS codes use paid "rooms".  These "rooms" have a concept like 1900 numbers where it costs money to phone in.  Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.

Another shocking fact was that this page listed seven country names along with corresponding SMS room numbers. Our initial observation that this SMS based ransom is only being used within Russia no longer holds true.

Porn_ransom  

Now lets discuss the CnC part. Upon execution It tries to contact a remote CnC server having IP address 91.205.111.52 which is owned by UKNETCOM LTD.  Here is the complete WHOIS record.

inetnum:        91.205.108.0 - 91.205.111.255
netname:        UKNETCOM-NET
descr:          UKNETCOM Ltd
country:        GB
admin-c:        CJ1227-RIPE
tech-c:         CJ1227-RIPE
org:            ORG-UA129-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         UKNETCOM-UK-MNT
mnt-routes:     UKNETCOM-UK-MNT
source:         RIPE # Filtered

organisation:   ORG-UA129-RIPE
org-name:       UKNETCOM
org-type:       OTHER
address:        United Kingdom, London, Unit 7F Dukes Yard, Acme Road, Watford, WD24 5AL
e-mail:         
admin-c:        CJ1227-RIPE
tech-c:         CJ1227-RIPE
mnt-ref:        UKNETCOM-UK-MNT
mnt-by:         UKNETCOM-UK-MNT
source:         RIPE # Filtered

Interestingly, Trojan.RansomLock (as mentioned in my previous article) uses the same server for its CnC communication.

outbound communication for HexZone:

GET /getid.php?getcode=1&wid=60&client=unknown&u=4 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)

Host: 9aga999a9gg99a.com

Connection: Keep-Alive

outbound communication for Trojan.Ransomlock

GET /registerguid.php?guid={98607c80-9a71-494f-a81e-32b7bb536a0c}&wid=59&u=6&number=35743798&install=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: ogggooogoggoog.com
Connection: Keep-Alive

where 9aga999a9gg99a.com and ogggooogoggoog.com are currently resolving to same CnC (91.205.111.52.) in UK.

A reverse IP lookup on this IP shows 20 more domains hosted on the same CnC server..

0jgj144c12g44j.com
23g3aff8aigff3.com
3igi333i3gg33i.com
3lglcnnbcmgnnl.com
4jgj444j4gg44j.com
9aga999a9gg99a.com
9pgphllghpgllp.com
Csgsjzzjjcgzzs.com
D6g6ddd6dggdd6.com
Eigieeeieggeei.com
F3g3fff3fggff3.com
Fygyqrraq8grry.com
Ggggsggzszgggg.com
Iogoiiioiggiio.com
K8g8kkk8kggkk8.com
Lpgplllplggllp.com
Nlglnnnlnggnnl.com
Ogggooogoggoog.com
Rygyrrryrggrry.com
Uaga699h66g99a.com
Xgggyoozywgoog.com
Zsgszzzszggzzs.com

The domain whois shows all of these domains are owned by a person called Damir I Filatovskij.  It clearly shows that Hexzone CnCs are being shared by other malware as well.  This fact also became evident when I looked closely at the joebox.org analysis shown in Finjan's article.  There are some URLs mentioned in that picture which can clearly be identified as CnC communications for malware like Win32.AutoIt and WIn32.3proxy.

http://www.threatexpert.com/report.aspx?md5=bc86988ab7dffb540294eab076041e12

http://www.threatexpert.com/report.aspx?md5=cc87c6f09a7b7237dd95cd52ed203d3d

Hexzone_downloads

Evidence of this multilayered malware installation again gives weight to my observation that most modern malware do not live alone but instead form BotnetWebs.

It is possible that the zombie count discussed in the Finjan article includes zombies from multiple botnets instead of one. The idea that a central management system is being used to control the complete botnetweb instead of an individual bontnet looks more believable.  A large figure like 1.9 million zombies is also understandable when we think in terms of a botnetweb. Nothing can be said with complete confidence until Finjan's research team releases more information like MD5s of the parent dropper and/or the CnC coordinates.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

Account Deleted on 2009.04.22 Botnet Activities / Outbreaks

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef01156f4b5c64970c

Listed below are links to weblogs that reference Hexzone, RansomWare and, Finjan:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

  • Thanks Finjan for this clarification,

    Yes definitely, it is what was described in earlier post by you guys and I illustrated the same fact as:
    From my post..

    "Although Finjan did not mention the name of the botnet in their blog post, VirusTotal scan results (for one of the *secondary* downloads) shown in their article identified it as the *dropper* for a known Trojan called Hexzone."
    Here, I am saying Hexzone as the secondary download and mega botnet as the dropper.

    Atif Mushtaq

    Atif Mushtaq on Hexzone, RansomWare and, Finjan

  • Dear FireEye,

    Finjan's blog post shows VirusTotal report and indicates on Hexzone as an executable the bot was instructed to download from the command center.

    Hexzone is not the bot itself but one out of many executables that the bot downloaded and executed on the infected PCs.

    Taken from the blog post:
    "This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan."

    Finjan on Hexzone, RansomWare and, Finjan

  • if this guy is in the UK, why not simply shut him down?

    joe blow on Hexzone, RansomWare and, Finjan

The comments to this entry are closed.