The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet. I got a chance to speak with Fijan's representatives at RSA on April 23rd. I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.

This did not stop me from carrying my investigation further. I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat. As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry. The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.

There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet. The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article. ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report. This report showed a list of additional malware components downloaded by the un-named botnet.