Looks like there is a new Botnet on the horizon. Win32/Heloag is treated as Backdoor Trojan by many AV companies but appears to be a new kind of Botnet that uses P2P for communicating with its peers and Bot master. Its been out there for a while now.
A recent post by Arbor Networks on the Bot’s analysis actually prompted me to have a closer look at this piece of malware. Either their report is missing something or I seem to have observed some additional activities that the Bot does ! So here is some insight into the protocol the Bot uses for its communication with Peers as well as its Bot Master.
Once infected, as usual the malware copies itself to the windows system folder as file with names such as “crse.exe” or “conme.exe”. Some initial variants of this malware use TCP port 1106 for the communication with their Bot Master or Command & Control (C&C) server where as the newer variants appear to be using TCP port 8090.
The Bot uses a clear text payload with the first byte being used as a identifier of message or activity that the C&C server wants the Bot to perform. During my analysis I observed following messages:
0x01 – Initial Hello message (sent by Bot)
0x02 – Keep alive
0x03 – Peer information (sent by C&C)
0x04 – File download and execution (sent by C&C)
After infection, the Bot communicates with its C&C using the Hello message followed by the hostname. So, the 32Bytes of payload looks something like this -
01 + Hostname + Null padding
As mentioned earlier, older variants must have been using TCP port 1106 to communicate, so if that is the case they are upgraded to the latest versions. The C&C uses the “04” command for this and looks something like this:
04 + 2Bytes for no. of URLs + 64Bytes of payload info
payload = 00 00 + URL to fetch and execute + null padding
The upgraded Bot now starts using TCP 8090 for communication. Next, the C&C sends a “peers list” to the Bot for its P2P using “03” command that looks something like this:
03 + 2Bytes for no. of peers + 64Bytes of peer information
Peer information = 00 00 + Peer-IP + null padding + Peer-port
Unlike what the Arbor networks report said, I observed the P2P communication on TCP as well as UDP ports. At the time of the analysis, the Bot was using port ranges 7105 – 7506 for TCP as well as port ranges 9101 - 9301 for TCP & UDP.
It exchanged huge amounts of traffic on the UDP ports – almost 15MB in a very short time ! Though UDP payload appeared to be encrypted it was exactly 100 Bytes in length. Also, the use of its P2P communication is not known yet.
While I have not done a static analysis yet, I guess that the use of TCP or UDP is determined on the basis of port range itself and must be hardcoded in the binary as that info is not passed on by C&C as part of its protocol.
Whether or not this is a entirely new piece of Botnet is doubtful, but the communication protocol does appear to be different than what I have seen before in other botnets such as Conficker or Waledac.
That’s it for now. I will be playing around a bit more with this. Will update if I find something new. Following are the md5 of the binaries used for this analysis -
b36a68304cec89cf35ddaea8a7e8406d
6a5759f5e32253e06217baa6e1b1dbe1
ed96a6175f00e21df631b295b3019f6a
Stay tuned !