Security researchers with Arbor Networks have found a new botnet that consists of computers infected with a Trojan designed to enable a remote user to download malware onto the machine. The researchers found that the Trojan, called Heloag, is downloaded via one of two possible domains and then loads itself into the MS Windows directory.
The Trojan also assigns itself a registry key which allows the malware to be loaded during the boot up process. Finally, the infected computer than connects to the command and control server. The cyber criminal effectively has control over the infected computer and provides a platform to download other malware.
Currently, the researchers are unclear how large the botnet is.
“Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010. It's unclear what the purpose of this is, but it appears to be some form of peer-to-peer,” writes researcher Jose Nazario. “Antivirus uses a handful of aliases for these samples. They aren't consistent, which isn't surprising, and the data on this downloader is very thin, as well.”