Win32/Hiloti is a family of trojans that interferes with an affected user's browsing habits and downloads and executes arbitrary files.
Installation
There are a variety of ways in which Win32/Hiloti may be distributed in the wild. Social engineering is a common distribution vector, where, for instance, many Hiloti executables are found on file sharing networks, disguising themselves as game cracks, program installers, cracked software, movie and music files, etc.
Another common way in which Hiloti is distributed is through other malware. Hiloti has been seen installed or downloaded onto compromised computers by various malware families and variants. The following list of malware has been known to install or download Hiloti:
In addition to the above, many other malware families have been installed on compromised computers along with Win32/Hiloti. For instance, Trojan:Win32/Podjot.A, may be downloaded by Hiloti, and TrojanDropper:Win32/Hiloti variants, which install Hiloti as well as various other malware families on the computer.
Please refer to the description for TrojanDropper:Win32/Hiloti.gen!A for a list of malware this trojan has been observed installing.
When executed, the malware copies itself to the Windows folder with a randomly generated file name (for example %windir%\svdetrxt.dll). It modifies this file so that it is treated as a DLL.
The trojan then creates a randomly named registry entry in which it stores configuration information, for example:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Qwevonibumer
The trojan uses Windows hooks to load itself into running processes. It may do this to hide its presence from the affected user. For instance, if the affected user checks Task Manager for any suspicious running programs, they may find it difficult to "see" Hiloti because it is hooked to a legitimate process. In particular, it targets the following two processes in this manner:
- explorer.exe
- iexplore.exe
Payload
Allows backdoor access and control
When executed, the malware connects to a remote host to download configuration data, which may contain instructions to perform any of the following actions:
- Download and execute arbitrary files
- Display pop-ups
- Modify the content of HTML pages viewed by the user
- Insert scripts in to HTML pages viewed by the user
Monitors the affected user's browsing habits
The trojan monitors URLs browsed by the user and sends related information to a remote host. Captured data includes, but is not limited to, search-related information. It does this by searching for substrings in the URL, for example, it may look for the following strings:
- .bing.com
- .live.
- .msn.
- .google.
- .search123.
- .teoma.
- .wanadoo.
- 250000.co.uk
- alexa.
- alltheweb.com
- altavista.
- aol.
- asiaco.
- bbc.
Redirects searches in Firefox
The trojan installs a Firefox extension to redirect searches performed by the user in this browser. It does this with the following files:
- %LOCALAPPDATA%\{<GUID>}\chrome.manifest
- %LOCALAPPDATA%\{<GUID>}\install.rdf
- %LOCALAPPDATA%\{<GUID>}\chrome\content\_cfg.js
- %LOCALAPPDATA%\{<GUID>}\chrome\content\overlay.xul - may be detected as variants of Trojan:JS/Hiloti
where <GUID> is a randomly generated GUID.
If successfully installed, the Firefox extension appears in the Firefox Extensions menu with a name such as “XUL Runner 1.9.1”:
It also creates the following registry entry:
In subkey: HKLM\SOFTWARE\Mozilla\Firefox\Extensions\
Sets value: "{<GUID>}"
With data: "{<GUID>}"
Terminates processes
The trojan checks if it is loaded in the following process, and if it is not, terminates the process:
These processes may belong to the Microsoft Malicious Software Removal Tool (MSRT) and the Windows Defender programs.
Analysis by Scott Molenkamp & Amir Fouda
