Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In a previous post, we discussed Win32/Dorkbot, one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles, Win32/Pluzoks and Win32/Yeltminky.
Figure 1 - Win32/Hioles visible in Windows Task Manager
Running as a process named 'svchost.exe' has two advantages; one in fooling your eyes, and two, in bypassing firewalls that use rules based on process names. When installed as a .DLL, 'rundll32.exe' is used to load the trojan.
Figure 2 - Win32/Hioles communication packet
Once connected, the C&C initiates a standard Socks5 handshake and sends a CONNECT request to a particular host via port 80.
-- Shawn Wang, MMPC