HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Are hackers wreaking Havex on your network?

Havex, also referred to as “Energetic Bear,” is a piece of Windows malware that is actively being utilized in the wild in attacks against critical infrastructure, specifically targeting the energy sector in Western Europe and North America. This threat to enterprise security is a remote access Trojan (RAT) that is used to perform reconnaissance and assist in delivering additional payloads to the target. Once installed, it fingerprints the victim machine (users, files, directories, etc.) it sends and receives information from compromised PHP web servers.


Havex can be delivered to the target in multiple ways:

  • Spam/Phishing
  • Watering-hole attacks
  • Exploit Kits (Hello/Lights Out)
  • Masquerading as a legitimate (trojanized) download

 Let’s take a look at a sample of this malware (SHA1: 7f249736efc0c31c44e96fb72c1efcc028857ac7)


havex.pngThe sample we analyzed was a trojanized version of VPN software.  Upon execution, this software loads and activates the malware which starts obtaining information about the system and waiting to receive commands. 















So now what? Is there a way to protect yourself from Havex?

Well that’s the good news—HP TippingPoint customers are protected from this malware’s outbound communication attempts. Next Tuesday a specific filter, 16455, will be published in our HP TippingPoint DVLabs weekly Digital Vaccine package for full coverage. In the interim, please contact HP TippingPoint support or your local Solution Architect to receive a custom filter for immediate use.

Protection from the Hello and Lights Out exploit kit are provided today by filters:

  • 12877: HTTP: Oracle Java Malicious Archive File Download
  • 13244: HTTP: Malicious Jar File Download (ZDI-13-153)
  • 13187: HTTP: Malicious Jar File Download
  • 12916: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability
  • 12917: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability
  • 12918: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability

Stay ahead of the bad guys with HP TippingPoint—we are always on your side and understand that when it comes to protecting your network, every second matters. 


HP TippingPoint Network Security solutions

When every second matters, HP TippingPoint delivers industry-leading security intelligence powered by HP TippingPoint DVLabs—keeping you ahead of the threats. With simple, reliable and effective products including TippingPoint Next-Generation Intrusion Prevention System (IPS),  TippingPoint Next-Generation Firewall (NGFW), and the TippingPoint Security Management System, we are on your side, delivering proactive network security protection.  Learn more about how HP TippingPoint can help you with your network security solutions.


Labels: DVLabs| TippingPoint
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.