Hexzone was in the hot seat three weeks ago when it was discovered infecting 1.9 million PCs. The debate continues about the exact size and nature of this botnet. We managed to obtain a sample of Hexzone and did some analysis.
While analyzing Hexzone, we observed some interesting things about its affiliate malware and the bot itself. Once infected, the criminal behind this botnet can execute virtually anything on the system. It turns the computer into a real mess where all sorts of malware binaries are being installed. One of the more notorious pieces of malware that Hexzone downloaded is Virut, which we discussed in a previous blog. Virut, too, is capable of downloading anything the command and control server wants to install on the infected system.
On the infected PC where Hexzone is running, Virut is downloaded and executed. Virut then connects to its control server and receives commands to download and execute additional malware:
Both URLs in the screenshot above are actually executable files of a downloader Trojan. At this point, things are getting really nasty. Password stealers, adclickers, email harvesters, an Internet Explorer hijacker and other malware binaries are being downloaded and executed on the infected system.
When we checked the downloaded password stealer, we saw it capturing credentials from Google Mail, Yahoo, Hotmail, World of Warcraft, and Battle.net accounts and send its stolen data to a server located at 63.220.4.178. We tried to login to Gmail using a fake username and password, and here is a screenshot of what the malware sends to the remote server:
One of the other malware samples on the infected system harvests email addresses from the disk. The harvested data is sent to a remote server, most probably for spamming purposes.
In the midst of this mess, we observed Pushdo together with Grum being installed by Virut. Perhaps one of the reasons why these spambots are two of the most aggressive spammers is because of their affiliation with Virut as a major "distributor".
In observing Pushdo/Cutwail, we noticed a high volume of TCP traffic that connected to mail.live.com (Hotmail). It seems Pushdo is now using this free email service to send spam in addition to its normal SMTP spam. This link is something that others have also observed. Pushdo attempts to login to a Hotmail account every few minutes and tries to send spam. A packet screenshot below where Pushdo attempts to login using one of its Hotmail account:
These are just few of the malware binaries that Hexzone and Virut download and install on a infected system. In a sense, Hexzone is just a distribution mechanism for more malware, especially spambots. Moreover, the system keeps changing and updating. Hexzone may download this lot of malware today but tomorrow is likely to be a completely different story.
