The Latest in IT Security

MSRT March: Three Hioles in one


In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.


Similar to last month’s focus on Win32/Pramro, Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing a downloader such as variants of Worm:Win32/Gamarue, also mentioned in a previous blog. Win32/Hioles may be present and execute in one of three ways:
  • as a direct action executable (.EXE)
  • as a dynamic link library (.DLL)
  • as a registered SSP (Security Support Provider)
When run, Win32/Hioles commonly drops its payload into the Application Data (%AppData%) folder as an executable with a misleading file name such as ‘KB995202.exe‘ and modifies the registry to run the .EXE at Windows login. The trojan could drop other code into the %TEMP% folder and execute it, as shown in following figure:   Win32/Hioles

Figure 1 – Win32/Hioles visible in Windows Task Manager

Running as a process named ‘svchost.exe‘ has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, ‘rundll32.exe‘ is used to load the trojan.

One advanced method that is rarely used in other malware families is to register the bootstrap DLL under the “%SystemRoot%\system32” folder as a Security Support Provider (SSP) so that it may be loaded into processes that try to initialize the SSPs. If the bootstrap is loaded by ‘rundll32.exe’ from the ‘Run’ key, the payload will be injected into current user’s ‘explorer.exe’ process, and in the case of being loaded as an SSP, the payload is executed directly in the current process space.   The three installation and execution methods used by Win32/Hioles are performed to conceal its execution, and maximize its installation success rate, for the sole purpose of providing multi-protocol (Socks4, Socks5, HTTP, HTTPS) proxy services to its C&C server. The payload is designed to be concentrated, and can be as small as 9 Kb in file size. Once loaded, it generates a unique ID for the affected system and initiates communication by sending the ID to the C&C server. The C&C server can instruct the malware to update the configured C&C server address, initiate a reverse proxy, drop the connection and other actions.   In the wild, we observed the malware communicating as a Socks5 proxy with a C&C server. The following is an example of a communication packet that instructs the malware to connect to the port 1002 (0x03EA in hex):   Win32/Hioles communication packet

Figure 2 – Win32/Hioles communication packet

Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.

In the above communications, Win32/Hioles functioned as a regular Socks5 proxy server. The HTTP traffic we observed included registering email accounts, browsing various websites and sending spam email messages. It appears as though the authors behind this botnet may be selling the network of infected computers, as evidenced by the C&C server in the above case being associated with an online proxy server merchant.

Win32/Pluzoks & Win32/Yeltminky Pluzoks is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware to an affected computer (see our description for more information).   Yeltminky is a worm that spreads by making copies of itself on all available drives. The worm changes the start page for Internet Explorer and also communicates with a remote server (see our description for more information).   And so concludes another round of “What’s in MSRT?“… The MMPC thanks you for reading and reminds you to stay safe on the roadway of the Internets. The following are SHA1 examples for malware mentioned in this blog.   Win32/Hioles:
3f0bb3f3d87851ccd2696062992237e409f73071   Win32/Pluzoks:
2bb914e1c61a8207734487fc8d9599734563953d   Win32/Yeltminky:

— Shawn Wang, MMPC

Leave a reply





Latest Comments

Social Networks