In a comment to a previous post, Finjan have confirmed that Win32/Hexzone.AP is just one of the malicious programs downloaded to machines infected by the unnamed bot behind the 1.9 million PC botnet they reported: it isn't the bot itself. While I think we'd pretty much established that (especially after some very useful input from Atif Mushtaq), I appreciate that confirmation, given the previous confusion from reporting that suggested otherwise: for instance The Register said "Yuval Ben-Itzhak, chief technology officer at Finjan, said the malware that created the botnet used a variety of Internet Explorer, Firefox and PDF vulnerabilities to spread. He added that only four out of 39 anti-virus scanners detected the malware."
Finjan have also observed that "The 1.9M number is very accurate." Well, I'm not in a position to confirm or refute that, but I've no reason to doubt it: it's not a uniquely large number, by any means. If Hexzone isn't the primary infector, that explains the disparity between sources.
Hopefully Finjan will be in a position to share more information about the primary malware at some point. At the very least, it would be nice to know if this is something that's already widely detected.
Unfortunately, someone at Finjan also seems to be under the impression that I've accused them of spreading FUD (Fear, Uncertainty, Doubt). I don't know where that quote comes from, but it wasn't me, guys. This isn't that sort of a blog, and I save my sarcasm for deserving cases like Mikeyy : I don't deploy it against responsible members of the security community.
David Harley
Director of Malware Intelligence