New P2P Botnet Forming

Type threatpost
Reporter Dennis Fisher
Modified 2018-08-15T13:01:06


Security researchers have identified a newly formed botnet that comprises machines infected with a Trojan specifically designed to manage the downloading and installation of a spectrum of other malicious software.

The Trojan, known as Heloag, installs itself on PCs after being downloaded from one of two domains: or, according to an analysis by Arbor Networks. Once on the machine, the Trojan loads itself into the Windows directory and installs a registry key that ensures the malware will be loaded during the startup routine.

It then makes a connection to the C&C server for the botnet,
often on TCP port 8090, to register itself and await commands. Traffic
is usually preceded by a single byte to indicate the message purpose:

  • 01 – initial hello
  • 02 – keep alive, idle message
  • 03 – download the named file
  • 04 – connect to other peers
  • 05 – send hostname to server
  • 06 – clear
  • 07 – close connection

The Heloag Trojan effectively gives the attacker complete control of the infected machine, and provides a simple platform for him to load other malicious software.

Arbor researcher Jose Nazario said that the Trojan not only calls out to the command-and-control server in order to download new files and get commands, it also will connect with other infected machines over TCP. This kind of peer-to-peer communication has been seen in a few botnets in the past, including Nugache and others.

In some cases it’s used as a form of command-and control, with the peers passing commands or updated executables to one another. This can serve either as a backup for the main, centralized C&C structure, or as the primary C&C mechanism, making it more difficult for researchers or ISPs to identify and take down the controlling machines.

Nazario said that in the case of Heloag, it’s unclear what the peer-to-peer communications are being used for.