BlackEnergy – Simple to Control and Hard to Detect

Posted on July 16, 2014 by .

Share and Enjoy:
Follow Me on Pinterest More More

BlackEnergy is a web-based DDoS (distributed denial of service) bot, which was created in the mid-90′s by Russian hackers. BlackEnergy provides the attackers with an easily controlled web-based bot that can target more than one IP address per hostname and due to the runtime encrypter, the author has used, BlackEnergy botnet can prevent antivirus detection.

BalckEnergy provides a tool for hackers to create floods to different systems and servers, causing them to overload and deny service. Black Energy can accomplish those attacks from multiple systems at a time, attacking various IP addresses, which makes the attacks quite severe.

From the time, the BlackEnergy was initially launched until 2008 no significant changes in its way of work have been detected. 2008 new major update, known as Black Energy 2, has emerged. BlackEnergy is also knows as Backdoor.Win32.Blakken. Till then, the modulations mostly included different rootkits, so that various weak points in the operating systems can be exploited. Diverse droppers and Trojans were used to disperse BlackEnergy.

The most recent version of BlackEnergy has been transferred by a zip-file, claiming to contain a list of unsafe passwords. The zip-file itself opens normally, and the user can find an actual list within. Once the list is opened BlackEnergy starts to spread in the system as a background process, while an actual document with passwords acts as a decoy to the unsuspecting user.

BlackEnergy 2 – Step-by-step to Hostile Overtaking

The bot has a few main functions. Each of them is performed by a separate component of the program:

  • to hide the virus from the antimalware-program
  • to infect the system processes
  • to suggest flexible ways for the execution of the malicious activities, that the C&C (Control and Command) center sends

Similar to other threats, BlackEnergy 2 has a protective layer that does not allow the antivirus-products to detect it. As soon as an executable file is activated on the computer, the malicious application allocates virtual memory, copies the decryptor code on it and transfers control to the encryptor.

Once the decryptor code has been executed, it is placed in the memory. After its execution, a decryptor driver is created in the C:\Windows\System32\Drivers folder and a descriptor service is activated. The driver itself works as a cover for most of the interesting processes that follow after.

Inside of the decryptor driver is a block of encrypted data. That data is an infector which will insert a DLL into the svchost.exe.

The DLL inside the svchost.exe is the most important part for launching a DDoS attack from the infected computer. The DLL has a data string that creates an XML file that defines the bot’s original configuration. Among the data is the address of the botnet’s C&C. Sometimes there are more than one addresses added so there is a backup if the initial one cannot be contacted.

The bot then sends a preformed http request to the C&C, which contains details about the infected computer. That would include an identifier of the computer, serial number of the hard drive on which the Windows is installed, country, language strings, etc. If the Command and Contact Center authorizes the request, it replies with a bot configuration file which is an encrypted with RC4 XML document. The encryption itself is created with the computer identifier sent previously by the bot so that only that specific computer can operate with it.

Popularity: 32%

Leave a Reply

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word