Home / malwarePDF  

Win32/Hiloti


First posted on 02 May 2012.
Source: Microsoft

Aliases :

Win32/Hiloti is also known as Trojan.Zefarch (Symantec).

Explanation :



Win32/Hiloti is a family of trojans that interferes with an affected user's browsing habits and downloads and executes arbitrary files.



Installation

There are a variety of ways in which Win32/Hiloti may be distributed in the wild. Social engineering is a common distribution vector, where, for instance, many Hiloti executables are found on file sharing networks, disguising themselves as game cracks, program installers, cracked software, movie and music files, etc.

Another common way in which Hiloti is distributed is through other malware. Hiloti has been seen installed or downloaded onto compromised computers by various malware families and variants. The following list of malware has been known to install or download Hiloti:

  • Multiple variants of the Worm:Win32/Vobfus family
  • Rogue:Win32/FakeRemoc
  • Trojan:Win32/FakeSysdef
  • Trojan:Win32/Vundo.gen!AU
  • Trojan:Win32/Vundo.LO
  • TrojanDownloader:Win32/Branvine.A
  • TrojanDownloader:Win32/Bredolab
  • TrojanDownloader:Win32/Hulstor.A
  • TrojanDropper:Win32/Hipaki.A
  • TrojanDropper:Win32/Vobfus.D
  • Win32/FakePowav
  • Win32/Oficla


In addition to the above, many other malware families have been installed on compromised computers along with Win32/Hiloti. For instance, Trojan:Win32/Podjot.A, may be downloaded by Hiloti, and TrojanDropper:Win32/Hiloti variants, which install Hiloti as well as various other malware families on the computer.

Please refer to the description for TrojanDropper:Win32/Hiloti.gen!A for a list of malware this trojan has been observed installing.

When executed, the malware copies itself to the Windows folder with a randomly generated file name (for example %windir%\svdetrxt.dll). It modifies this file so that it is treated as a DLL.

The trojan then creates a randomly named registry entry in which it stores configuration information, for example:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Qwevonibumer


The trojan uses Windows hooks to load itself into running processes. It may do this to hide its presence from the affected user. For instance, if the affected user checks Task Manager for any suspicious running programs, they may find it difficult to "see" Hiloti because it is hooked to a legitimate process. In particular, it targets the following two processes in this manner:

  • explorer.exe
  • iexplore.exe


Payload

Allows backdoor access and control

When executed, the malware connects to a remote host to download configuration data, which may contain instructions to perform any of the following actions:

  • Download and execute arbitrary files
  • Display pop-ups
  • Modify the content of HTML pages viewed by the user
  • Insert scripts in to HTML pages viewed by the user


Monitors the affected user's browsing habits

The trojan monitors URLs browsed by the user and sends related information to a remote host. Captured data includes, but is not limited to, search-related information. It does this by searching for substrings in the URL, for example, it may look for the following strings:

  • .bing.com
  • .live.
  • .msn.
  • .google.
  • .search123.
  • .teoma.
  • .wanadoo.
  • 250000.co.uk
  • alexa.
  • alltheweb.com
  • altavista.
  • aol.
  • asiaco.
  • bbc.


Redirects searches in Firefox

The trojan installs a Firefox extension to redirect searches performed by the user in this browser. It does this with the following files:

  • %LOCALAPPDATA%\{<GUID>}\chrome.manifest
  • %LOCALAPPDATA%\{<GUID>}\install.rdf
  • %LOCALAPPDATA%\{<GUID>}\chrome\content\_cfg.js
  • %LOCALAPPDATA%\{<GUID>}\chrome\content\overlay.xul - may be detected as variants of Trojan:JS/Hiloti


where <GUID> is a randomly generated GUID.

If successfully installed, the Firefox extension appears in the Firefox Extensions menu with a name such as €œXUL Runner 1.9.1€:



It also creates the following registry entry:

In subkey: HKLM\SOFTWARE\Mozilla\Firefox\Extensions\
Sets value: "{<GUID>}"
With data: "{<GUID>}"

Terminates processes

The trojan checks if it is loaded in the following process, and if it is not, terminates the process:

  • MRT.exe
  • MSASCui.exe


These processes may belong to the Microsoft Malicious Software Removal Tool (MSRT) and the Windows Defender programs.



Analysis by Scott Molenkamp & Amir Fouda

Last update 02 May 2012

 

TOP

Malware :