Updated June 3, 2015 11:00 AM
Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.
Let’s start with the basics
Hola markets itself as providing anonymous browsing and an unblocker for accessing any content from any location. “Unblocking” comes in two forms. The first is that an Hola user can pretend to be in any country she wants, enabling access to content that would only be available within the target country. A common example is a Canadian citizen accessing the US version of Netflix. The second is an employee in a company which blocks certain outbound traffic can use Hola to get past the blockage.
The software is available either as a browser extension or a stand-alone application with versions for every major operating system, and Hola claims 46 million users worldwide. Vectra researchers analyzed the Windows 32-bit version of Hola for Windows, and the Android ARM and Android x86 versions of Hola for mobile available prior to May 27, 2015.
Once installed, the service acts as giant peer-to-peer network known internally as “Zon” where a user’s Internet traffic is bounced through other Hola users. In the Zon network, every unpaid user is used as an exit node, meaning that if you were to install the application, you would carry traffic from other anonymous users. Worse still, Hola caches content on user devices, meaning that not only would you carry someone else’s traffic without your knowledge, but you could be used to cache their content as well. These are all things that Hola publicly states on its website and license agreement. While users who have just realized this have expressed shock, the story doesn’t end there.
Our decision to analyze this software was that it triggered a type of detection we call “External Remote Access” in some of our customers’ networks. The algorithm behind this detection finds connections that are established from the inside of a customer’s network to the Internet and the subsequent interaction is clearly driven by a human on the outside of the customer’s network. This pattern is consistent with how a peer-to-peer anonymity network works. The employee computer with Hola installed must use well-known techniques to make a firewall allow the peer’s connection to complete and these techniques effectively make the connection appear – to the firewall and to Vectra – to be initiated from the employee’s machine to the peer who wishes to make use of it. Once the connection is up, the external human controlling the peer drives all the action.
Read a blog on cyberattackers using The Onion Router
Things get a bit more interesting when you realize that Hola (the company) operates a second brand called Luminati that sells access to the Hola network to third parties. If this sounds to you like a recipe for a botnet, you’re not alone. In fact moderators from the controversial site 8chan claim to have experienced a DDoS originating from the Hola/Zon network.
In addition, third-party researchers have uncovered a variety of vulnerabilities in the Hola software that allow users to not only be tracked, but also can be exploited to run arbitrary code on an Hola user’s machine. It should be noted that vulnerabilities in perfectly legitimate software aren’t unusual—most software publishers are judged by the competence of their programmers in preventing security vulnerabilities as well as the speed with which they react to reported vulnerabilities. The vulnerabilities were publicized on May 29. On June 1, Hola stated the vulnerabilities were patched, and their statement was rebutted by the third-party researchers in an update to their original post.
It also appears that the DDoS mentioned above is not the first time hackers have attempted to use Hola for malicious activity. While analyzing the protocol used by Hola, Vectra researchers found 5 different malware samples on VirusTotal that contain the Hola protocol. The SHA256 hashes for these samples are listed below:
Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys.
Enabling a human attacker
While analyzing Hola, Vectra Threat Labs researchers found that in addition to reports of Hola enabling a botnet, it contains a variety of capabilities that can enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides.
First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system. On Windows systems, the certificate is added to the Trusted Publishers Certificate Store. This modification to the system allows any additional code to be installed and run without the user being notified by the operating system or browser.
In addition, Hola contains a built-in console that remains active even when the user is not browsing via the Hola service – it is included in the process that acts as a forwarder for other peers’ traffic. The presence of this console—dubbed “zconsole”—is surprising on its own, as it enables direct human interaction with a Hola node even when the service is not actively in use by the system’s user. So if a human outside the system were to gain access to this console, what could they do?
- List and kill any running process
- Download any file with an option to bypass anti-virus (AV) checking
- Execute a downloaded file and:
- Run the file with the token of another process
- Run it as a background process
- Open a socket to any IP address, device, guid, alias or Windows name
- Read and write content across the socket to the console or to a file
This represents just a small subset of the functionality available in the console. The developers of the console have been gracious enough to include a man page to help someone unfamiliar with the commands.
These capabilities can enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky anonymity network enabling a botnet, and instead forces us to acknowledge the possibility that an attacker could use Hola as a platform to launch a targeted attack within any network containing the Hola software.
As a result, we highly encourage organizations to determine if Hola is active in their network and decide whether the risks highlighted in this blog are acceptable. To help with this, we have crafted Yara rules to identify whether Hola is present on a system. For customers that have an intrusion prevention system (IPS) deployed, we have also created Snort signatures to help them identify Hola traffic in their network.
Additions and clarifications since first publication
- Where there were statements about botnets in conjunction with Hola, clarifications were made that Hola was used to enable a botnet and is itself, not a botnet.
- Added information in paragraph three about the specific version Hola for Windows and Hola for mobile analyzed for this blog. This information was already present in the later section entitled SHA256 Hashes of Windows and Android Versions of Hola Software Analyzed. Added information that became available after our blog was published about Hola patching their software.
- Clarified that the samples on VirusTotal indicate malicious attempts to use Hola; evidence of these attacks succeeding is not available
- Updated our recommendation to organizations in the final paragraph
Snort signatures to detect Hola or Luminati traffic (link to file)
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network Encrypted"; content:"