# Heloag has rather no friends, just a master

**[securelist.com/heloag-has-rather-no-friends-just-a-master/29693/](https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/)**

[Incidents](https://securelist.com/category/incidents/)

[Incidents](https://securelist.com/category/incidents/)

03 May 2010

minute read


-----

Authors

[Georg Wicherski](https://securelist.com/author/georgwicherski/)

[Jose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog,](http://asert.arbornetworks.com/2010/04/trojan-heloag-downloader-analysis/)
[mentioning that some observed behaviour might be related to Peer-to-Peer C&C](http://en.wikipedia.org/wiki/Botnet)
functionality. However, Jose’s analysis was dynamic only and thus he was not certain about
this when I contacted him (also thanks to Alex Cox for sharing network traces of his
honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm
Botnet [MP4 Video]), I had to take a deeper look.

The Heloag binaries I’ve looked at (6ede527bb5aa65eae8049ac955b1018d dropped by
_d9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C&C_
**functionality! Instead, the bot rather speaks a very simple protocol over TCP with the**
following command types supported (encoded as the first byte of the packet):

1. DDoS another host using different techniques:

TCP DDoS, connect(..) based (does not send data)
UDP DDoS, sendto(..) based (sends some random data)
HTTP DDoS requesting / with User-Agent “helloAgent”, InternetOpenUrlA based
HTTP DDoS crawling links from / with User-Agent “Google page”
2. Download and execute an URL of up to 0xA4 bytes, zero-padded URL
3. Send the current computer name
4. Stop with the currently executing DDoS command
5. Disconnect from current server and connect to new C&C server


-----

_Disassembly for function 4_

This means that even though during dynamic analysis, multiple C&C servers were observed,
it is just some kind of hand-over to another C&C server which can be used for load-balancing
or renting out bots. Since there is always only one server, the bot is connected to at a time,
this does not add a lot to take-down resilience (phew!).

Still, this is an intersting specimen regarding malware authorship. What strikes immediately
into the eye is that while for most of the commands, there is exactly one control byte, DDoS
commands are all encoded in the same byte. The additional payload of this commands then
controls what DDoS is carried out to where. Instead of using one type byte like for control
bytes, this code uses different boolean bytes in the payload for controling DDoS types.
Additionally, the DDoS related code makes heavy usage of C++ std::string’s while the rest of
the main code uses wsprintf for string handling. It looks like this project was implemented by
two different individuals collaborating or at least one buying some source from the other.

This malware is pretty certainly from China. First, the usage of wsprintf underlines nonwestern character aware path names, which you rarely see in malware with western origins.
Additionally, there is one Chinese IP hardcoded in the binary, which cannot be attacked by


-----

DDoS, no matter what command is given to the bot (and this is checked after DNS
resolution).

[Botnets](https://securelist.com/tag/botnets/)
[DDoS-attacks](https://securelist.com/tag/dos-attacks/)
[Malware Creators](https://securelist.com/tag/malware-creators/)

Authors

[Georg Wicherski](https://securelist.com/author/georgwicherski/)

Heloag has rather no friends, just a master

Your email address will not be published. Required fields are marked *

GReAT webinars

13 May 2021, 1:00pm

## GReAT Ideas. Balalaika Edition

26 Feb 2021, 12:00pm
17 Jun 2020, 1:00pm
26 Aug 2020, 2:00pm
22 Jul 2020, 2:00pm
From the same authors


-----

## Live Twitter XSS

 Different x86 Bytecode Interpretations


-----

## Is there really a Storm out there?

 The Dangers of Social Networking


-----

## The msvidctl Internet Explorer 0day

Subscribe to our weekly e-mails

The hottest research right in your inbox


-----

Reports

## APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events
that we observed during Q1 2022.

## Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021.
This application contains a legitimate program called DeFi Wallet that saves and manages a
cryptocurrency wallet, but also implants a full-featured backdoor.

## MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a
malicious code we dub MoonBounce. In this report we describe how the MoonBounce
implant works and how it is connected to APT41.

## The BlueNoroff cryptocurrency hunt is still on


-----

It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to
solely cryptocurrency businesses as the main source of the group’s illegal income.

Subscribe to our weekly e-mails

The hottest research right in your inbox


-----

-----