BlackEnergy DDoS Bot – Analysis Available

In the past few weeks I’ve been looking at a lot of DDoS botnets, specifically HTTP botnets. Today I’m pleased to release a report on one of the network of botnets I’ve been looking at, based on the BlackEnergy toolkit. From the summary of the paper:

BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most
common bots, this bot does not communicate with the botnet master using IRC. Also, we
do not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small
(under 50KB) binary for the Windows platform that uses a simple grammar to
communicate. Most of the botnets we have been tracking (over 30 at present) are located
in Malaysian and Russian IP address space and have targeted Russian sites with their
DDoS attacks.

This report is based on analysis of the distribution package of the BlackEnergy botnet,
tracking approximately 30 live and distinct botnets, and disassembly of several samples
captured in the wild.

I received a lot of additional data, binaries and reports from various researchers in the community. To respect their confidentiality, I credit them by initials in the paper. The bot’s only gotten marginal attention from malcode research people in the past few months. However, it’s a prototypical HTTP bot. BlackEnergy has been called a “skiddie tool” by someone I know, and looking at the attacks they’ve been launching I’m inclined to agree. The threat level from this botnet isn’t as high as it is from other botnets we’re tracking. Some graphics not in the paper are the botnet C&C locations and the DDoS targets. If you flip between them quickly you’ll notice some overlap; one botnet attacking another.

BlackEnergy HTTP C&C locations

BlackEnergy HTTP C&C locations

BlackEnergy DDoS targets

BlackEnergy DDoS targets

You can download and read the report for yourself: BlackEnergy DDoS Bot Analysis [PDF], 11 pages.

2 Responses to “BlackEnergy DDoS Bot – Analysis Available”

February 14, 2008 at 6:13 am, CHIP Online 0-security-blog » Blog Archiv » BlackEnergy DDoS Bot im Eigenbau said:

[…] “BlackEnergy ist ein HTTP-basiertes Botnetz das hauptsächlich für DDoS-Attacken (Denial of Service) genutzt wird. Anders als Andere, kommuniziert dieser Bot nicht über IRC mit dem Botnetz-Master. Die meisten Botnetze dieser Art wurden mit IP-Adressen in Malaysia und Russland gesichtet. Die DDoS-Angriffe richteten sich auf russische Webseiten.” (so die grobe Übersetzung der Analyse von Arbor Networks) […]

March 06, 2012 at 11:50 am, Breaking Armageddon's Crypto | DDoS and Security Reports | Arbor Networks Security Blog said:

[…] Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy. […]

Comments are closed.