Updated BlackEnergy DDoS Botnet kit

January 18, 2010

BlackEnergy is a popular web-based DDos (Distributed Denial of Service) botnet kit originally written by a member of a Russian hacking group. It has been in development for quite some time now and in the later part of last year, we've seen this botnet evolve from targeting websites for DDoS attacks to include plugins architecture that allows spamming emails and facilitates online banking fraud.

This botnet kit comes in a package that usually resides in the C&C Server of the Botnet owner. It contains the following malicious files:

  • builder.exe (v 1.9.2) detected as GAV: BlackEnergy.A (Trojan)
  • calc.exe - detected as GAV: Crypted_2 (Trojan)
  • crypt.exe - detected as GAV: Crypted_2 (Trojan)

The builder.exe is the one responsible for building the dropper.exe (botnet client) file that carries the payload for this botnet. This file usually arrives in the system when downloaded by unsuspecting users from different gaming websites or forums.

A screenshot of the builder.exe is shown below:


Once executed, this botnet client will install its rootkit component to hide its presence from the user and the main dll component responsible for loading the plugins. After installation, the botnet client phones home to its server and waits for additional commands.

The botnet server can issue the following commands to the client:

  • rexec - download and execute a remote file
  • lexec - execute a local command using cmd.exe
  • die - uninstall BlackEnergy Botnet
  • upd - download and install a remote update
  • setfreq - change the phone-home interval of the trojan

This botnet utilizes DDos Plugins to launch icmp, syn, udp and http floods against designated targets. It may also employ spam plugin and online banking fraud plugin. The banking plugin we've seen is capable of stealing banking credentials from an infected computer by injecting an embedded sub-module in the following browser processes:

  • iexplore.exe
  • firefox.exe
  • flock.exe
  • opera.exe
  • java.exe

The banking plugin may also be paired with another dll module kill.dll that is capable of destroying the filesystem of the infected system by overwriting the first 4,096 clusters of the disk with random data. It also attempts to delete the files "ntldr" and "boot.ini" from root of the filesystem rendering the system unreadable and unbootable in Windows system.

The Screenshot below shows the control page of the C&C server when issuing commands on the bot clients:



This Trojan is also known as Backdoor:Win32/Phdet.D [Microsoft], Win32:Blackenergy [Trj] [Avast] and DoS.Win32.BlackEnergy.a [Kaspersky]

SonicWALL has multiple signatures protecting users from this botnet, including:

  • GAV: BlackEnergy.A (Trojan)
  • GAV: Kbot.S_3 (Trojan)
  • GAV: Crypted_2 (Trojan)
  • GAV: Inject.GF_2 (Trojan)
  • GAV: Rustok.H (Trojan)
  • GAV: Agent.KJA (Trojan)
  • GAV: Rustok.D (Trojan)
  • GAV: Rustok.DV (Trojan)