Harnig is Back

Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.

I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities.  Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.

A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.



One can see from the screen shot above that Harnig is not downloading any instance of the Rustock botnet. It's likely that involvement of law enforcement in this whole matter and a recent agreement between Russian and US authorities regarding the exchange of cyber crime intelligence is the main reason that the Russian mastermind behind Rustock is not even thinking about a comeback.

It is worth noting that after this resurgence, Harnig is changing its CnCs with lightning speed. During the last one week or so I have observed 26 CnCs in use by different variants of the Harnig botnet and most of these CnCs popped up during the last few days. It's an expected reaction to recent botnet shutdowns like Ozdok, Bredolab and now Rustock etc.

2 thoughts on “Harnig is Back

  1. Cybercriminals don’t typical cover and hide when law enforcement gets involved. They take a break and revise their code to be smarter, faster, and stealthier. You couldn’t have said it better, “After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.”
    Rustock will be back, it will have a different name, a new face, and different CnCs. In the meantime, keep up the good work and use this opportunity to become proactive as opposed to reactive.

Comments are closed.