Up and Coming Botnet uses Hexzone Trojan to Infect Computers

Last week Tuesday, security vendor Finjan reported the discovery of a new botnet that has already compromised almost two million computers. The botnet which is said to be run by a gang of six has apparently been in operation since February and is the largest botnet under the control of a single unit that Finjan has found this year.

Ukraine is where the command and control server of the botnet was found. It was through a vulnerability in the security of the server that Finjan was able to access a few directories in order to procure further knowledge of the botnet. In order to spread it appears that certain websites were infected with a Trojan horse, through the exploitation of holes in Internet explorer and Firefox.

The botnet was found to have infected computers in several different countries. A whopping 45% of the compromised computers are located in the United States, followed by 6% in the United Kingdom. Other countries affected were Canada, France and Germany with almost 80 government-owned domains infected.

Apparently Finjan confirmed that a mere four out of thirty nine anti-virus software products were able to detect the Trojan horse. Included in the number is NOD32 which was able to identify the infection as Win32/hexzone.ap. To name a few - Symantec, Trend micro, Antivir as well as McAfee were not able to identify the infections.

I could not find a multi-scanner analysis of Nod32 Win32/Hexzone.ap but I was able to find aq. I will assume that this is an even later variant because of the preceding alphabetical letter. Probably the newest version.

Table 1.  Alias names of the Trojan

We hear about new malicious botnets being created all the time, even Mac machines are susceptible to them now. The question that comes to mind is how can we stop these botnets? Director of SecureWorks malware research team, Joe Stewart believes that in order to do this we will have to go into the minds of cyber-criminals and analyze what motivates them to create botnets. He concluded that a cyber-criminals decision to start a botnet depends on three things; risk, effort, reward. If a global treaty could be formed that is aimed at increasing the risk, heightening the efforts and decreasing the rewards that cyber-criminals receive from creating botnets there would be a significant decrease in the creation of malicious botnets.