The attacker contacts the malware, not the other way around

Aug 25, 2012 09:32 GMT  ·  By

Security researchers have revealed the existence of an advanced persistent threat that has been making the rounds since April 2011. Identified as Backdoor.Hikit, the malware carries some interesting aces up its sleeve.

Hikit has a number of four main components: a dropper that compromises the system (currently unknown), a dynamic-link library (DLL) file which offers backdoor functionality, a kernel drive that’s in charge of monitoring network traffic, and a client tool that’s used to connect to the backdoor.

According to experts from security firm Symantec, it all starts with the unknown dropper which installs a DLL backdoor onto the compromised device. This backdoor then installs the driver component that allows the attacker to communicate with the infected computer.

In order to avoid being catalogued as malicious, the DLL component is signed by two different digital certificates, one of which has already expired.

However, Hikit has an even more interesting feature. Unlike many other pieces of malware, Hikit doesn’t attempt to contact its command and control server once it infects a device. Instead, the kernel is designed to wait for the attacker to initiate communications, significantly reducing the threat’s operational capabilities.

In theory, this would make it more difficult for the attacker to reach the compromised device because in most cases internal networks are located behind a firewall and a router, but as it turns out this isn’t an issue.

Experts from Mandiant have found that the malware actually targets computers located in the sub-network that exposes the organization’s services to the Internet (DMZ).

“DMZ exposes services over the Internet and typically has less restrictive firewall rules (eg. allows HTTP/HTTPS traffic over ports 80 and 443), which will allow the attacker to contact and communicate with compromised computers,” Branko Spasojevic of Symantec explained.