In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 — one of the best presentations of the workshop, in my unbiased opinion ;-) — Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence.

[In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 — one of the best presentations of the workshop, in my unbiased opinion ;-) — Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence. But why don’t I let them tell you about it? – DH]

Statistics on bank fraud provided by Group-IB (our partners in Russia dealing with cybercrime investigation) are in accordance with our own, indicating that the period when the bot was most active was the spring of 2011.





Figure 1: Detection statistics from ThreatSense.NET (01.01.2010-30.06.2011)

The main purpose of the bot is banking fraud: it supports additional modules and trojan programs in order to target the most popular online Russian banking systems (BSS, IBank, Inist). This suggests that Win32/Hodprot targets Russia and the former Soviet republics.

Here are self-explanatory statistics relating to the bot's distribution by region:

Figure 2 Statistics by region from ThreatSense.NET (01.01.2010-30.06.2011)

In every case of bank fraud connected with Win32/Hodprot, a great deal of money has been stolen. On average, each fraudulent operation pulls in several hundred thousand USD.

More interestingly, the Win32/Hodprot botnet is connected to other botnets working in the field of bank fraud in Russia. In particular, it is Win32/Hodprot that was used to download Win32.Sheldor, Win32/RDPdoor and Win32/Platcyber onto the victims’ machines. The period of time when Win32/Sheldor and Win32/RDPdoor appear to have been most active matches that of Win32/Hodprot.

Taking into account its implementation details Win32/Hodprot is a very complex threat, designed to deeply penetrate into an infected system and stay hidden for a long time. Here is the algorithm for infecting the system:

The main modules of the malware are stored in the system registry (HKLMSOFTWARESettings) rather than being stored as files in the file system. Here are the values of the registry key for storage of the payload:

ErrorControl

CoreSettings

HashSeed

PnPData

This makes forensics much more difficult: it is very difficult to find the malicious payload since there is no corresponding file in the file system. In order to protect the payload’s privacy, it relies on an intricate customized encryption algorithm. In addition the bot employs quite a complex technique in order to survive a reboot. In the next figure you can see the protocol by which it communicates with the C&C (Command and Control) server and downloads the payload.

Win32/Hodprot uses advanced techniques to infect the system and stay hidden which distinguish it from other malware. We will release a detailed analysis of the threat shortly.

David Harley, Aleksandr Matrosov, Eugene Rodionov and Dmitry Volkov