Arbor Networks Detected a New P2P Botnet

Arbor Networks security researchers have detected a new botnet, which compromises the PCs infected with Heloag Trojan.

Trojan.Heloag is basically a Trojan horse specifically crafted to control the installation of other malicious software on the infected system. This malcode provides attackers with the complete control and facilitates them to install random malcode on the machine. The security firm revealed that on detailed inspection, it was noticed that this bot does not seem to contain any DDoS capabilities. It seems just to control downloads that are made on the infected system.

Dennis Fisher, a researcher at threatpost, said that once this Trojan is on the system, it loads itself into the directory of the Windows and then installs a registry key which checks that the malicious software gets loaded at the time of startup, as per the news published by eSecurity Planet on April 14, 2010.

Fisher further added that the Heloag Trojan efficiently gives complete control of the infected computer to the attacker. It provides him a platform to easily load other malware.

Jose Nazario, Arbor researcher, explains that this Trojan not just calls out to the C&C (command and control) server to download new files and get commands, it will also establish link with other infected systems over the TCP. This type of peer-to-peer (P2P) communication has been shown by some botnets in the past also, like Nugache and others, as per the news published by threatpost on April 13, 2010.

Experts said that in some cases, this Trojan is used as a type of command and control, with the peers transmitting updated executables or commands to each other. Now, such an activity can either serve as a backup for the centralized C&C structure, or even serve as the primary C&C mechanism. This makes it really tough for the ISPs or researchers to detect and bring down the controlling machines.

In the case of Heloag, the use of peer-to-peer communications is not yet clear, said Nazario.

Arbor Networks further disclosed that various samples that were studied were downloaded from elwm.net or 7zsm.com. This malware can use those domains to download additional files. However, the botnet's size is still unknown, but the security experts do see some users in the wild.

Related article: Airport Website Used To Attack NAB Customers

» SPAMfighter News - 4/24/2010