Chintan Shah is a security research lead with McAfee Labs, focused on several areas of advanced threat research, ...
BlackEnergy was a very popular DDoS bot a couple of years back. This bot has been under development and has evolved quite a bit over toward its more current successor, the Darkness bot. This Bot has evolved with new features continuously added to extend its malicious capabilities. Researchers have been keeping an eye on it and current analysis of the Command and Control(C&C) traffic its bot existing in the wild have revealed that this bot could be the product of the Russian cybercrime market. Traces indicating the same production have been found within the bot executables as well.
This bot comes with a variety of DoSing capabilities and has been observed targeting Russian websites. Recently, during our investigation, we managed to get access to the BlackEnergy builder toolkit, which unlike previous available builder versions, comes with the option of building polymorphic binaries to bypass AV detections and also includes anti-debugging features. The toolkit comes with web functionality which includes PHP scripts for controlling the Bot and other details such as MySQL database schemas.
The first post in this series provides a detailed analysis of the BlackEnergy bot builder toolkit. We will also examine the server side PHP scripts to understand the bot command and control channel. Additionally we will also analyze the DDoS traffic generated by the bot. Next part of this series will shed some light over the recently emerging Darkness bot which is believed to be related to BlackEnergy and has overshadowed BlackEnergy in terms of its DoSing capabilities.
BlackEnergy DDoS Bot builder :
The above screenshot is of the builder toolkit used to build the bot client which is then usually distributed through drive-by downloads or through Spam emails.
Below are all the default parameters used to build the bot client and as such most of the parameters are self explanatory.
Host: C&C Server communicating with the bot client.
Request Rate: Specifies the time interval after which new command should be fetched from the C&C server.
Build ID: Unique Build ID for each bot. This will change every time the builder tool kit is invoked.
Default Command: Command to execute if bot client cannot connect to the C&C server.
Execute after: Time after which command should be executed.
Outfile : Final bot client executable name.
Default DDoS parameters:
ICMP Freq: No. of ICMP packets to send in the attack.
ICMP Size: Size of the ICMP packets in the attack.
Syn Freq: No. of SYN packets to send in SYN flood attack.
HTTP Freq: No. of HTTP Request to send in the HTTP flood attack.
HTTP Threads: No. of HTTP threads to create during the attack.
TCP /UDP Freq: No. of TCP/UDP packets to send during TCP/UDP flood attack.
TCP Size: Size of the TCP payload.
UDP Size: Size of the UDP payload.
Spoof IP’s: Boolean value to enable or disable IP Spoofing during the flooding.
Use Crypt traffic: May be used for encrypting the bot client communication.
Use polimorph exe: Inserts different encryption routines to bypass AV detection.
After specifying all the configuration options, clicking the “Build” button will output the bot client which is then distributed through various means.
Server Side Botnet Command and Control System :
The toolkit comes with the C&C server side PHP scripts which interacts with the MYSQL database at the backend to track the bot infections. We’ve observed the following files in the toolkit.
The C&C system comes with the basic HTTP password authentication scheme. Auth.php presents the Login/Password screen from where the Botnet can be further controlled by the Bot Master.
Admin and MySQL Login details are saved in the config.php file as below.
// íàñòðîéêè áàçû
$opt['mysql_host'] = “localhost”;
$opt['mysql_user'] = “b0t2″;
$opt['mysql_pass'] = “2413038″;
$opt['mysql_base'] = “b0t2″;
// ëîãèí è ïàññ ê àäìèíêå
$opt['admin_pass'] = “admin”;
$opt['admin_login'] = “132″;
Bot C&C system has a pretty simple database schema with the SQL queries in the db.sql file. Following is an excerpt from that file.
– Table structure for table `opt`
CREATE TABLE `opt` (
`name` varchar(255) NOT NULL,
`value` varchar(255) NOT NULL,
PRIMARY KEY (`name`)
Following are its default values which are displayed on the UI when index.php is accessed.
– Dumping data for table `opt`
INSERT INTO `opt` (`name`, `value`) VALUES (‘attack_mode’, ’0′),
db.sql also has an important table structure, “stat,” used for tracking the size of the botnet. All the data that is POSTed by the bot client is logged in this table along with the Build ID which is sent back by the bot client to the C&C system.
– Table structure for table `stat`
CREATE TABLE `stat` (
`id` varchar(50) NOT NULL,
`addr` varchar(16) NOT NULL,
`time` int(11) NOT NULL,
`build` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
Index.php is the script that connects to the SQL database and fetches the statistics which are displayed on the GUI. Here are a few of the SQL queries we found in this file:
Architecture of the Botnet:
We studied the Command and Control system of this bot and figured out how the scripts interact internally. Below is how the server side system interact with other modules that keep track of the infections.
We have reverse-engineered C&C code on the bot client and have identified that it comes with three major type of commands. Arguments to these commands are also documented in the Readme.txt and cmdhelp.html files accompanying this package in the Russian language. During our analysis of the bot client binary we’ve also found the 4th command which is not documented in the help files. Let’s understand each of the commands.
A ) flood:-
The “Flood” command instructs the bot client to initiate several different types of flooding attacks. Arguments to this command instructs the bot about the type of flood attack to generate along with the other parameters as shown earlier Figure 1. Arguments to the type of flooding attacks can be following:
The Flood command along with the arguments and other parameters are sent by the server to the bot client in Base-64 encoded format. Below is an example of the decoded command indicating how the bot client is instructed to carry out a TCP SYN flood on port 80:
4500;2000;100;1;0;30;500;500;200;1000;2000#flood syn mail.ru 80 #10#xEN-XPSP1_80D1F15C
B ) stop:-
Stop command instructs the bot client to temporarily stop DDoS floods.
C ) die:-
Die command instructs the bot client to delete itself from the infected system. It calls the ExitProcess API to terminate the process and stop all DDoS activities
D ) open:-
This is the undocumented command. The binary analysis bot client shows that this command may be used to download other executable files or possibly to update the bot executable itself.
E ) wait:-
This command instructs the bot client to remain silent without performing any activity and contact the C&C server for new commands after the specified interval. Format of this command is as shown below:
This instructs the bot client to wait for 10 minutes before checking for new commands . This is exactly what can be figured out from the screenshot below.
The BlackEnergy Bot client uses HTTP protocol to communicate with the C&Cserver. It uses HTTP POST request to stat.php page. POST request data is then logged into the “stat” table in the database primarily used for tracking the bots. The information sent by the bot-client in the HTTP POST request message includes the ID and the build ID.
The ID parameter is a combination of the SMB hostname and the C:\ volume information of the infected machine. The code section below shows how the ID parameter is built.
Build_ID is the parameter which is randomly generated by the bot builder and is used to track the botnet infections. In response, the C&C server replies with the Base-64 encoded command as shown below:
The decoded command shows the following:
This shows the extent up to which the DDoS parameters are configurable in this bot. All the parameters are present even in the #wait# command. Likewise, a variety of different DoS commands can be given by C&C sever, a few of which are listed below:
# flood syn www.abc.com 25#10#
# flood http www.xyz.com#20#
# flood udp;dns;syn;220.127.116.11#10#
# flood icmp 18.104.22.168#5#
A very significant finding of our analysis has shown that the toolkit that is used to build the bot client executable is actually backdoored. On execution of the toolkit, it opens a random port on the builder’s system in listening mode. Also, it has been found to be sending significant system information to remote servers. Below is the snapshot of Base-64 encoded traffic that we captured when the toolkit was launched for the building of a bot.
Decoding the above traffic shows the info that was being sent by this toolkit to the author of the toolkit.
The toolkit is also found to send the following system information. Clearly there is no honor among thieves!
McAfee IPS coverage for BlackEnergy
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the BlackEnergy bot under the attack ID 0x48804c00 BOT: BlackEnergy Bot Traffic Detected. McAfee customers with up-to-date installations are protected against this malware.
In the next part of this series, we will take a closer look at the recent DDoS attack power of the Darkness bot.