January 17, 2013
Recall that BackDoor.BlackEnergy BlackEnergy is a complex multi-component malware primarily used for spamming. It enabled criminals to create one of the largest spam botnets, capable of sending as many as 18 billion messages per day at its peak period of activity. BackDoor.BlackEnergy programs download their modules and the xml configuration file from a control server.
Apparently, the criminals behind BackDoor.BlackEnergy.36 are the same people who used earlier versions of programs in this malicious family. This assumption is supported by the fact that BackDoor.BlackEnergy.36 utilizes the same encryption key that was used by some bots controlled from servers brought down in summer 2012.
Unlike previous editions in the malware family, BackDoor.BlackEnergy.36 has its configuration file encrypted and stored in the dynamic linking library whose code in injected into the process svchost.exe or explorer.exe when the Trojan is launched. In addition, this program features a slightly modified version of the protocol via which it communicates with a control server.
To date, Doctor Web's virus analysts have discovered several control servers that criminals are employing in an attempt to create another mass mailing botnet. Doctor Web continues to monitor closely the activity of BackDoor.BlackEnergy.36 in the wild while its signature has been added to the Dr.Web virus databases, so the malware poses no threat to computers running Dr.Web anti-viruses.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.