Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Black.Energy botnet reborn

January 17, 2013

Russian anti-virus company Doctor Web is warning users about another malicious program of the BackDoor.BlackEnergy family. In July 2012 many mass media outlets reported on the shutting down of the main BlackEnergy servers, but the botnet ceased to operate completely only in autumn 2012. And a new modification of the threat emerged in January 2013.

Recall that BackDoor.BlackEnergy BlackEnergy is a complex multi-component malware primarily used for spamming. It enabled criminals to create one of the largest spam botnets, capable of sending as many as 18 billion messages per day at its peak period of activity. BackDoor.BlackEnergy programs download their modules and the xml configuration file from a control server.

screen

Apparently, the criminals behind BackDoor.BlackEnergy.36 are the same people who used earlier versions of programs in this malicious family. This assumption is supported by the fact that BackDoor.BlackEnergy.36 utilizes the same encryption key that was used by some bots controlled from servers brought down in summer 2012.

Unlike previous editions in the malware family, BackDoor.BlackEnergy.36 has its configuration file encrypted and stored in the dynamic linking library whose code in injected into the process svchost.exe or explorer.exe when the Trojan is launched. In addition, this program features a slightly modified version of the protocol via which it communicates with a control server.

To date, Doctor Web's virus analysts have discovered several control servers that criminals are employing in an attempt to create another mass mailing botnet. Doctor Web continues to monitor closely the activity of BackDoor.BlackEnergy.36 in the wild while its signature has been added to the Dr.Web virus databases, so the malware poses no threat to computers running Dr.Web anti-viruses.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040