open

BlackEnergy

This page shows details and results of our analysis on the malware BlackEnergy

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Dropper
  • Protection Added: 2010-03-05

This variant of the BlackEnergy trojan drops various malware components hidden by a rootkit - with the possibility to install various plugins to execute payloads.


Minimum Engine

5600.1067

File Length

Description Added

2010-03-08

Description Modified

2010-03-09

Malware Proliferation

-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=223101487

--

This variant of the BlackEnergy trojan is a complete rewrite of the original BlackEnergy trojan which was used in the conflict between Russia and Georgia back in 2008.

We analysed several different droppers all of which have common properties.

They all drop a rootkit which is responsible for hiding parts of the malware on disk and memory. The dropped rootkit is also responsible to inject a DLL into svchost.exe

 

The main dll is responsible to load and execute various plugins.

 

At the time of analysis the following plugins were known to exist:

 

         ddos plugin to generate ddos traffic  against a target using TCP, UDP, ICMP and HTTP protocols

         http plugin to use Internet Explorer to flood a target with HTTP requests

         syn, synflood plugin to flood a target with TCP SYN requests.

         ibank, ibank-inject plugin to steal banking credentials from the infected machines

         kill plugin to render the infected machine unusable by overwriting the installed fixed drives with random data. This might be used to prevent users to log in to online banking after their credentials were stolen.

         spm_v1 plugin to send spam (spambot)

 

 

 

The following registry entries are added:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters> "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Class"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ClassGUID"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "ConfigFlags"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "DeviceDesc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Legacy"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000 "Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "*NewlyCreated*"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<RANDOM letters>\0000\Control "ActiveService"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "DisplayName"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ErrorControl"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "ImagePath"
Data: \??\%SysDir%\drivers\<RANDOM letters>.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "RulesData"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Start"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters> "Type"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "Count"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Enum "NextInstance"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<RANDOM letters>\Security "Security"
(where %SysDir% is the system32 folder within the windows folder, usually C:\windows\system32)

  Presence of file and registry values mentioned above

  Increase in internet traffic

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc...

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations