Amplifying Black Energy
Click here to download the full report.
The Black Energy malware family has a long and storied history dating back to 2007. Originally a monolithic DDoS platform, significant advancements were made in 2010 including support for an extensible plugin architecture that allowed Black Energy 2 to more easily expand beyond DDoS into other activities such as info-stealing, web-based banking attacks, spamming, etc.
This report examines, in-depth, a new Black Energy 2 plugin (ntp.dll) that allows “BE2” botnets to launch true distributed NTP reflection/amplification attacks. This is significant for a couple of reasons:
- To the best of our knowledge, this may represent one of the first C&C-controlled (not standalone) Windows bots to correctly and effectively implement an NTP-based reflection/amplification attack.
- Reflection/amplification attacks are already responsible for generating the largest of DDoS attacks. Integrating this attack method into traditional Windows botnets could increase the impact of these attacks even further.
In detailing the relatively impressive technical implementation of this new BE2 DDoS attack plugin, this report provides some excellent general networking insights, an understanding of what it takes to really pull off a reflection/amplification attack on the Windows platform, and a somewhat humorous look at some prior attempts by other malware that weren’t so effective.