FireEye Malware Intelligence Lab

In this post, I will try to shed light on some missing details about Hexzone. Then I will show Hexzone's relationship with some other known malware, and in the end I will discuss my thoughts on the size of this un-named botnet.

Here is my initial analysis of the Hexzone sample mentioned in Finjan's report. Normally Hexzone resides on the victim machine in the form of a 'Browser Helper Object'.  The reason it injects itself into the browser as a plug-in is to hijack the user's browsing sessions in order to blackmail them.  Here is how it happens, as the user tries to browse any web page from the infected PC, this plug-in leads the user to a fake page, displaying porn contents. Along with porn contents a message is displayed in the Russian language.

Translated from Russian:

"to delete (porn contents) select country and sends code 3981134 to room number (different for each country)."

As I explained in my last article, these SMS codes use paid "rooms".  These "rooms" have a concept like 1900 numbers where it costs money to phone in.  Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.

Another shocking fact was that this page listed seven country names along with corresponding SMS room numbers. Our initial observation that this SMS based ransom is only being used within Russia no longer holds true.

Now lets discuss the CnC part. Upon execution It tries to contact a remote CnC server having IP address 91.205.111.52 which is owned by UKNETCOM LTD.  Here is the complete WHOIS record.

inetnum:        91.205.108.0 - 91.205.111.255
netname:        UKNETCOM-NET
descr:          UKNETCOM Ltd
country:        GB
admin-c:        CJ1227-RIPE
tech-c:         CJ1227-RIPE
org:            ORG-UA129-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         UKNETCOM-UK-MNT
mnt-routes:     UKNETCOM-UK-MNT
source:         RIPE # Filtered

organisation:   ORG-UA129-RIPE
org-name:       UKNETCOM
org-type:       OTHER
address:        United Kingdom, London, Unit 7F Dukes Yard, Acme Road, Watford, WD24 5AL
e-mail:         
admin-c:        CJ1227-RIPE
tech-c:         CJ1227-RIPE
mnt-ref:        UKNETCOM-UK-MNT
mnt-by:         UKNETCOM-UK-MNT
source:         RIPE # Filtered

Interestingly, Trojan.RansomLock (as mentioned in my previous article) uses the same server for its CnC communication.

outbound communication for HexZone:

GET /getid.php?getcode=1&wid=60&client=unknown&u=4 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)

Host: 9aga999a9gg99a.com

Connection: Keep-Alive

outbound communication for Trojan.Ransomlock

GET /registerguid.php?guid={98607c80-9a71-494f-a81e-32b7bb536a0c}&wid=59&u=6&number=35743798&install=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: ogggooogoggoog.com
Connection: Keep-Alive

where 9aga999a9gg99a.com and ogggooogoggoog.com are currently resolving to same CnC (91.205.111.52.) in UK.

A reverse IP lookup on this IP shows 20 more domains hosted on the same CnC server..

0jgj144c12g44j.com
23g3aff8aigff3.com
3igi333i3gg33i.com
3lglcnnbcmgnnl.com
4jgj444j4gg44j.com
9aga999a9gg99a.com
9pgphllghpgllp.com
Csgsjzzjjcgzzs.com
D6g6ddd6dggdd6.com
Eigieeeieggeei.com
F3g3fff3fggff3.com
Fygyqrraq8grry.com
Ggggsggzszgggg.com
Iogoiiioiggiio.com
K8g8kkk8kggkk8.com
Lpgplllplggllp.com
Nlglnnnlnggnnl.com
Ogggooogoggoog.com
Rygyrrryrggrry.com
Uaga699h66g99a.com
Xgggyoozywgoog.com
Zsgszzzszggzzs.com

The domain whois shows all of these domains are owned by a person called Damir I Filatovskij.  It clearly shows that Hexzone CnCs are being shared by other malware as well.  This fact also became evident when I looked closely at the joebox.org analysis shown in Finjan's article.  There are some URLs mentioned in that picture which can clearly be identified as CnC communications for malware like Win32.AutoIt and WIn32.3proxy.

http://www.threatexpert.com/report.aspx?md5=bc86988ab7dffb540294eab076041e12

http://www.threatexpert.com/report.aspx?md5=cc87c6f09a7b7237dd95cd52ed203d3d

Evidence of this multilayered malware installation again gives weight to my observation that most modern malware do not live alone but instead form BotnetWebs.

It is possible that the zombie count discussed in the Finjan article includes zombies from multiple botnets instead of one. The idea that a central management system is being used to control the complete botnetweb instead of an individual bontnet looks more believable.  A large figure like 1.9 million zombies is also understandable when we think in terms of a botnetweb. Nothing can be said with complete confidence until Finjan's research team releases more information like MD5s of the parent dropper and/or the CnC coordinates.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM