Hiloti: the (Bot)Master of Disguise
Some interesting DNS queries were captured earlier on while Patrick Yu was analyzing a Hiloti sample downloaded from a Bredolab server. Both Hiloti and Bredolab are bots that download and install other malware pieces on the infected computer they run on (for financial gain, more on this below).
Here’s the actual DNS query: 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com
This apparently invalid hostname surprisingly resolved to 220.127.116.11, which is also the nameserver responsible for the a4h9uploading.com domain. Very plausibly, what this request means is that the Hiloti botmaster is using this custom DNS server to receive information from its bots. And this information could very well be a “successful installation” message, as well as an ID to identify the “affiliate” responsible for the installation (in this case, Bredolab).
Many malware pieces today have such a reporting mechanism, in order to inform their masters about what has been successfully installed and by whom; this enables a pay-per-install (PPI) business model, where affiliates receive payment proportional to the number of malware installs they performed. But while we have seen many ways of reporting this data, using legitimate DNS queries is indeed a discrete way to do so…
The bot then downloaded some encrypted files from a free file-hosting server:
REXML could not parse this XML/HTML: <long hex string ommitted> http: //172907da1020.gabspan.net/get2.php?c=EDTXBPHH&d=<long hex string ommitted> http: //172907da1020.truminfi.com/get2.php?c=EDTXBPHH&d=<long hex string ommitted>
When a file is uploaded, the server does return download URLs similar to the ones the bots used to download files. However, the server always returns “file not found” when the URLs are used to retrieve uploaded files. Further investigation revealed that the bots communicated with this server via encrypted C&C messages (such as aid, uid, old_uid, etc.), which made it clear that this server is indeed a dedicated C&C server for the Hiloti botnet, rather than a file hosting server as the front page leads us to think. What is particularly vicious in this case is that the file hosting part is (partly) implemented…
A decrypted C&C communication looks like this:
Bot to server: aid=1148&mid=s02101028&old_uid=bc7a3d45&uid=4EA7354FA6A94244979960544C9D7D3A&binver=173&hid=96256954&adm=1&osver=5_1&_tck=0000271015&proc=Explorer.EXE&ld1_e=1&clnt_e=0&w64=0&f=02&delay=00000001&cndl=C4V0-template&idate=1288279172&EOR
Server to bot:
Who’s behind this?
The file-hosting server that Hiloti downloads binaries from (18.104.22.168) is registered to:
Although the ISP is in Singapore, the spelling of the name (LIN QING PING) and the contact email (firstname.lastname@example.org) suggest that this IP block is sublet to someone in mainland China (518 sounds like “I will be rich” in Mandarin and qq is a very popular instant messaging tool in China).
The two DNS servers used for reporting, as well as all the DNS servers responsible for the file-hosting domain, are under the same AS (16265) from the same ISP (LeaseWeb) in the Netherlands, from which over 100 Bredolab C&C servers were taken down by the Dutch police recently. There might be some connection between the Hiloti botnet and Bredolab, but we don’t have enough info on the Dutch police takedown as of now.
The Hiloti bots are downloaded by multiple botnets and the C&C servers have been operating since at least early September, 2010. All of this indicates that this botnet is potentially large and the owner definitely wants to keep a low profile.
This DNS bot is detected by FortiGuard AV as “W32/Hiloti.D!tr”, and FortiGuard webfiltering detects the listed download domains as malware. We have notified hosting providers of both the illegitimate NS and malware hosting domains.