Russian anti-virus company Doctor Web is warning users about another malicious program of the BackDoor.BlackEnergy family. In July 2012 many mass media outlets reported on the shutting down of the main BlackEnergy servers, but the botnet ceased to operate completely only in autumn 2012. And a new modification of the threat emerged in January 2013.
Recall that BackDoor.BlackEnergy BlackEnergy is a complex multi-component malware primarily used for spamming. It enabled criminals to create one of the largest spam botnets, capable of sending as many as 18 billion messages per day at its peak period of activity. BackDoor.BlackEnergy programs download their modules and the xml configuration file from a control server.
Apparently, the criminals behind BackDoor.BlackEnergy.36 are the same people who used earlier versions of programs in this malicious family. This assumption is supported by the fact that BackDoor.BlackEnergy.36 utilizes the same encryption key that was used by some bots controlled from servers brought down in summer 2012.
Unlike previous editions in the malware family, BackDoor.BlackEnergy.36 has its configuration file encrypted and stored in the dynamic linking library whose code in injected into the process svchost.exe or explorer.exe when the Trojan is launched. In addition, this program features a slightly modified version of the protocol via which it communicates with a control server.
To date, Doctor Web’s virus analysts have discovered several control servers that criminals are employing in an attempt to create another mass mailing botnet. Doctor Web continues to monitor closely the activity of BackDoor.BlackEnergy.36 in the wild while its signature has been added to the Dr.Web virus databases, so the malware poses no threat to computers running Dr.Web anti-viruses.
Leave a reply