Most wanted: the Black Energy bot

21 Jul 2010
Virus News

Kaspersky Lab has published an article entitled "Black DDoS" which provides an analysis of the Black Energy 2 malicious bot.

The Black Energy bot has never stopped evolving. Kaspersky Lab has currently detected over 4,000 variants of the first version of this malicious program and the second version has been on security researchers' radars for two years. Black Energy 2 attracts hackers due to the fact that it's both versatile and easy to manage. The bot supports updateable plug-ins (additional modules) that make it easy for hackers to modify and expand the functionality of Black Energy 2. Plugins can be quickly installed and updated on commands sent from the remote administration center.

The bot's most popular plug-ins are designed to conduct DDoS attacks (i.e. distributed attacks designed to bring the targeted systems down). Numerous zombie computers infected with Black Energy 2 simultaneously send malformed and/or large data packets to the node under attack on commands sent from the command-and-control center. As a result, the target node will be overloaded and lose its ability to process any other data. Black Energy 2 supports the use of a variety of protocols to send such packets.

However, the features of Black Energy 2 are not limited to DDoS attacks. Malware writers have developed plug-ins that steal bank credentials and distribute malicious programs via peer-to-peer networks. "It is difficult to predict how botnet masters will use their botnets in the future. It's not hard for malware writers to create a plug-in and get it downloaded to infected user machines." says the author of the article, Kaspersky Lab virus analyst Dmitry Tarakanov.

The article provides an overview of the main Black Energy 2 components that are responsible for infection and communicating with the command-and-control center, as well as of the most common plug-ins and basic commands. The full version of Black DDoS is available at Securelist.com.