Updated BlackEnergy DDoS Botnet kit (Jan 18, 2010)

By

BlackEnergy is a popular web-based DDos (Distributed Denial of Service) botnet kit originally written by a member of a Russian hacking group. It has been in development for quite some time now and in the later part of last year, we’ve seen this botnet evolve from targeting websites for DDoS attacks to include plugins architecture that allows spamming emails and facilitates online banking fraud.

This botnet kit comes in a package that usually resides in the C&C Server of the Botnet owner. It contains the following malicious files:

  • builder.exe (v 1.9.2) detected as GAV: BlackEnergy.A (Trojan)
  • calc.exe – detected as GAV: Crypted_2 (Trojan)
  • crypt.exe – detected as GAV: Crypted_2 (Trojan)

The builder.exe is the one responsible for building the dropper.exe (botnet client) file that carries the payload for this botnet. This file usually arrives in the system when downloaded by unsuspecting users from different gaming websites or forums.

A screenshot of the builder.exe is shown below:

screenshot

Once executed, this botnet client will install its rootkit component to hide its presence from the user and the main dll component responsible for loading the plugins. After installation, the botnet client phones home to its server and waits for additional commands.

The botnet server can issue the following commands to the client:

  • rexec – download and execute a remote file
  • lexec – execute a local command using cmd.exe
  • die – uninstall BlackEnergy Botnet
  • upd – download and install a remote update
  • setfreq – change the phone-home interval of the trojan

This botnet utilizes DDos Plugins to launch icmp, syn, udp and http floods against designated targets. It may also employ spam plugin and online banking fraud plugin. The banking plugin we’ve seen is capable of stealing banking credentials from an infected computer by injecting an embedded sub-module in the following browser processes:

  • iexplore.exe
  • firefox.exe
  • flock.exe
  • opera.exe
  • java.exe

The banking plugin may also be paired with another dll module kill.dll that is capable of destroying the filesystem of the infected system by overwriting the first 4,096 clusters of the disk with random data. It also attempts to delete the files “ntldr” and “boot.ini” from root of the filesystem rendering the system unreadable and unbootable in Windows system.

The Screenshot below shows the control page of the C&C server when issuing commands on the bot clients:

screenshot

screenshot

This Trojan is also known as Backdoor:Win32/Phdet.D [Microsoft], Win32:Blackenergy [Trj] [Avast] and DoS.Win32.BlackEnergy.a [Kaspersky]

SonicWALL has multiple signatures protecting users from this botnet, including:

  • GAV: BlackEnergy.A (Trojan)
  • GAV: Kbot.S_3 (Trojan)
  • GAV: Crypted_2 (Trojan)
  • GAV: Inject.GF_2 (Trojan)
  • GAV: Rustok.H (Trojan)
  • GAV: Agent.KJA (Trojan)
  • GAV: Rustok.D (Trojan)
  • GAV: Rustok.DV (Trojan)

screenshot

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.