Content
BlackEnergy
- Type
- Trojan
- SubType
- Dropper
- Discovery Date
- 03/05/2010
- Length
- Minimum DAT
- 5914 (03/08/2010)
- Updated DAT
- 5914 (03/08/2010)
- Minimum Engine
- 5.4.00
- Description Added
- 03/08/2010
- Description Modified
- 03/08/2010 11:07 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=223101487
--
This variant of the BlackEnergy trojan is a complete rewrite of the original BlackEnergy trojan which was used in the conflict between Russia and Georgia back in 2008.
We analysed several different droppers all of which have common properties.
They all drop a rootkit which is responsible for hiding parts of the malware on disk and memory. The dropped rootkit is also responsible to inject a DLL into svchost.exe
The main dll is responsible to load and execute various plugins.
At the time of analysis the following plugins were known to exist:
· ddos – plugin to generate ddos traffic against a target using TCP, UDP, ICMP and HTTP protocols
· http – plugin to use Internet Explorer to flood a target with HTTP requests
· syn, synflood – plugin to flood a target with TCP SYN requests.
· ibank, ibank-inject – plugin to steal banking credentials from the infected machines
· kill – plugin to render the infected machine unusable by overwriting the installed fixed drives with random data. This might be used to prevent users to log in to online banking after their credentials were stolen.
· spm_v1 – plugin to send spam (spambot)
The following registry entries are added:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters> "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Class"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ClassGUID"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ConfigFlags"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "DeviceDesc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Legacy"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "*NewlyCreated*"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "ActiveService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "DisplayName"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ErrorControl"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ImagePath"
Data: \??\%SysDir%\drivers\<RANDOM letters>.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "RulesData"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Start"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Type"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "Count"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Security "Security"
(where %SysDir% is the system32 folder within the windows folder, usually C:\windows\system32)
Symptoms
• Presence of file and registry values mentioned above
• Increase in internet traffic
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc...
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This variant of the BlackEnergy trojan drops various malware components hidden by a rootkit - with the possibility to install various plugins to execute payloads.
Characteristics
Characteristics -
-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=223101487
--
This variant of the BlackEnergy trojan is a complete rewrite of the original BlackEnergy trojan which was used in the conflict between Russia and Georgia back in 2008.
We analysed several different droppers all of which have common properties.
They all drop a rootkit which is responsible for hiding parts of the malware on disk and memory. The dropped rootkit is also responsible to inject a DLL into svchost.exe
The main dll is responsible to load and execute various plugins.
At the time of analysis the following plugins were known to exist:
· ddos – plugin to generate ddos traffic against a target using TCP, UDP, ICMP and HTTP protocols
· http – plugin to use Internet Explorer to flood a target with HTTP requests
· syn, synflood – plugin to flood a target with TCP SYN requests.
· ibank, ibank-inject – plugin to steal banking credentials from the infected machines
· kill – plugin to render the infected machine unusable by overwriting the installed fixed drives with random data. This might be used to prevent users to log in to online banking after their credentials were stolen.
· spm_v1 – plugin to send spam (spambot)
The following registry entries are added:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters> "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Class"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ClassGUID"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ConfigFlags"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "DeviceDesc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Legacy"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "*NewlyCreated*"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "ActiveService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "DisplayName"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ErrorControl"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ImagePath"
Data: \??\%SysDir%\drivers\<RANDOM letters>.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "RulesData"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Start"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Type"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "Count"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Security "Security"
(where %SysDir% is the system32 folder within the windows folder, usually C:\windows\system32)
Symptoms
Symptoms -
• Presence of file and registry values mentioned above
• Increase in internet traffic
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc...
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A