Comments on: Another Big Botnet

By: David Harley

David Harley — Mon, 27 Apr 2009 08:14:18 +0000

I couldn’ t possibly comment. Though according to Finjan I already have.

By: jcanto

jcanto — Mon, 27 Apr 2009 06:13:04 +0000

this situation indeed deserves the holy trinity of acronyms

By: VITALIKG

VITALIKG — Fri, 24 Apr 2009 16:43:49 +0000

By: David Harley

David Harley — Fri, 24 Apr 2009 10:52:42 +0000

Indeed you’re not.

By: Atif Mushtaq

Atif Mushtaq — Fri, 24 Apr 2009 03:04:22 +0000

Today, I visited RSA and got a chance to talk to Finjan’s representatives there. I talked to them about the same confusion but they refused to comment on this topic saying, they are working with law enforcement agencies so they cannot reveal more information at this moment. When I asked them at least tell me the name of this mysterious botnet. They said we have already mentioned botnet name in our article…I said I am asking about malware which downloaded Hexzone not hexzone itself ..as stated by you guysâ€¦.

Guy there thought for a second and said again..
We are working with law enforcement agencies, so cannot release more information at this

I am relieved now; I am not the only one who is confused here…;)

By: David Harley

David Harley — Thu, 23 Apr 2009 15:55:54 +0000

Thanks for that. Yes, I think that’s probably a more accurate way of looking at it.

By: Atif Mushtaq

Atif Mushtaq — Thu, 23 Apr 2009 15:32:08 +0000

I think we are mis-reading the Finjan’ article here , here is what Finjan said…

“This command instructs the bot on the infected computers to download and execute a Trojan horse. As indicates on the VirusTotal report below, only 4 out of 39 Anti-Virus products detected this Trojan.” // Hexzone

They did not give any detail about the parent dropper (unnamed botnet of size 1.9 million) which downloaded HexZone. It’s so confusing that all people started thinking this botnet as the HexZone……Hexzone along with other trojan like Win32.AutoIt seems only the secondary download..

By: Pierre-Marc Bureau

Pierre-Marc Bureau — Thu, 23 Apr 2009 13:09:43 +0000

Thanks for your comments gh and Henk.

I have to clarify the situation regarding the number of detection I have included in my previous blog post. It appears to bring more confusion than valuable information to our readers.

Instead of total number of detection, I should have used the ratio of detection. For the Win32/Hexzone family, this ratio is 0.1%, that is very small compared to Conficker which receives almost 20%.

By: David Harley

David Harley — Thu, 23 Apr 2009 12:50:46 +0000

Hi, Henk. Virus Radar only measures email-borne malware, and doesn’t generally include malware found on malicious web sites referenced by malicious messages. Malicious attachments have been decreasing dramatically in volume for years now, and very little new malware is disseminated that way. Also, the page you’re looking at is only showing the email-borne malware flagged over the last 24 hours: it doesn’t represent in any way the totality of what we detect.

I’m afraid the resource Pierre was referring to isn’t publicly available in realtime, though we do use the figures – as percentages and indicators, not absolute figures – in our monthly/annual/semi-annual reports. That’s partly because it is very easy for people to misinterpret.

By: David Harley

David Harley — Thu, 23 Apr 2009 12:11:58 +0000

That 140,000 doesn’t refer to the total number of Hexzone-infected machines. It refers to the number of attempts to infect machines protected by ESET products. ESET users can opt to allow the software to “call home” when it recognizes malware. In other words, these figures provide some indication of how active a given malicious program is compared to other malicious code, not overall figures. In this case, they simply suggest that Hexzone is out there in far lower volumes than some of our other detections.

If you check out , you’ll find a likely explanation for the disparity between the dramatic size and rate of spread figures suggested by Finjan compared to the impact that we and others are seeing.