Describe the Black Energy botnet and its use to mount denial of service attacks on critical infrastructure.
- [Voiceover] There's been a lot of noise about an incident known as BlackEnergy, as a result of attacks on the Ukraine critical infrastructure in 2014, reportedly by Russia. The term 'BlackEnergy' variously refers to a threat actor, a botnet, and a piece of malware. Let's have a look at what this really is. A variety of botnets can be used to conduct DDoS attacks, and BlackEnergy is one of the most popular, with over 4,000 deployments having been detected. BlackEnergy started out as a web-based distributed denial of service botnet, but in 2008 its authors made significant modifications to the original version, and BlackEnergy 2 is now used for a much wider range of attacks.
BlackEnergy is a sophisticated botnet which consists of a command and control server and an implant. It has a number of interesting features. It actively hides from anti-malware products using encryption. It operates by injecting code into system processes, and it can target more than one IP address on a hostname, which makes it especially useful for multihomed servers. Once the implant is launched on the target computer, it allocates virtual memory, copies its decryptor code to the memory, and then passes control to it.
It creates a decryptor driver with a random name, and a .sys extension in system 32\ drivers. A service for the driver, also randomly named, is then created and started. The decryptor holds a 16 byte pre key, and this is used to create another key, which is used to decrypt the injection archive using RC4. The malicious code dynamic link library is then prepared for injection by re-mapping addresses, and the driver locates svchost.exe and allocates memory in its address space, and injects the malicious code.
The DLL which is injected into svchost.exe is the main controlling factor in launching a DDoS attack from an infected computer. The DLL contains two addresses for its command and control server to ensure it can communicate if one server is down. It sends an HTTP request to the command and control server, which responds with an encrypted XML configuration file. This contains instructions on the targets for the DDoS, and the attack modules to use. If the implant doesn't have a module, or a new version is available, you will download it and copy it to the service host memory space.
The attack can then commence. Attack modules will be regularly downloaded to the implant by the BlackEnergy command and control server, and stored in encrypted form on the host computer's hard drive as str.sys in System32\ drivers. The implant also uses a system driver, syssrv.sys, to hide the implant's processes and files. BlackEnergy can run a number of DDoS attacks with the following commands: icmp, an ICMP ping flood, syn, a TCP SYN flood, udp, a UDP traffic flood, an HTTP GET request flooder, data, a binary packet flooder, and a DNS request flooder.
In addition to the plug-ins, BlackEnergy also has a set of commands: rexec, which is used to download and execute a remote file, lexec, which executes a local file on the infected computer, http, to send an HTTP request, upd, or update, which updates the implant, setfreq, to set the frequency for contacting the command and control server, stop, to stop attack activity, wait, a timed wait before checking again, and die, to terminate execution of the implant.
BlackEnergy, like many botnets, comes as a botnet construction kit, and a command and control server is built for a specific campaign. It's not readily available from the internet, but comes from Russian-language hacker forums, and costs around 40 dollars. The command and control server is built using PHP and MySQL, typically running on Linux, and has a simple PHP GUI interface. It maintains a table called 'opt', which contains the parameters of the DDoS attack, and a table called 'stat', to track the size of the botnet.
The builder runs an encryptor over the generated implant thus making it invisible to antivirus products. A BlackEnergy attack on Ukraine's power infrastructure was announced, after the event, by the Ukrainian government on December the 28th, 2015, and it was attributed by them to the Russian special forces. A power outage had occurred in the Ivano-Frankivsk region on the 23rd of December, which suggests that the attack had been successful. In this event, a payload called KillDisk was used to destroy target systems.
The attack was accompanied by a flood of telephone calls to the technical support numbers of the power companies. Researchers have designated the attackers as the Sandworm Crew. Malware samples obtained during the attack indicate that the same malware was used earlier in the year to target the Ukrainian media sector. The samples indicate discreet campaigns in June, July, October, and December. This spate of attacks was not the first time the Sandworm Group have targeted Ukraine.
An earlier incident took place in 2014, just prior to the NATO summit in Wales, using spear phishing and a malicious attachment purporting to be about Russian terrorists. The Ukrainian CERT also commented on media attacks which took place in October. At least some of the targets were hit with a new version of BlackEnergy, designated BlackEnergy 3. Ukrainian media reported that the power outage was caused by malware disconnecting power stations from the grid.
While BlackEnergy has evolved, the threat of denial of critical infrastructure services continues to be its primary focus, and all indications are that this is a continuing and evolving threat.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks