The Latest in IT Security

MSRT December ’12 – Phdet

12
Dec
2012

Phdet is the family which has been added to the December 2012 release of the Malicious Software Removal Tool. Phdet is a family of backdoor trojans that have the ability to perform distributed denial of service (DDoS) attacks.

The bot can be found online, going by the formal name of “Black Energy”. 

The DDoS bot has existed for a number of years, with initial detections added in 2007.

An attacker can build and configure binaries to perform different actions, and can specify the frequency and type of DoS to be performed, as illustrated in Figure 1.

  Win32/Phdet
Figure 1: “Black Energy” builder

The configuration can be updated via a web-based control panel, which is implemented in MySQL and PHP. The control panel also provides some basic statistics on the number of bots.

Network communications between the command and control server and the bot may be encrypted. Beneath the encryption, the information is exchanged in XML format. The bot also stores an encrypted copy of the internal configuration in a similar layout, as follows:

<?xml version=”1.0″ encoding=”windows-1251″?>
<bkernel>
  <servers>
    <server>
      <type>http</type>
      <addr>hxxp://<removed>.215.2.7/company/contacts.php</addr>
    </server>
  </servers>
  <cmds>
  </cmds>
  <http_key>17635454375409656991655428185564513</http_key>
  <sleepfreq>600</sleepfreq>
  <build_id>2707</build_id>
</bkernel>

Examining the internal configuration from some of the most prevalent binaries from this year, the command and control hosts used are the following:

  • <removed>.239.24.<removed>
  • <removed>.9.58.<removed>
  • <removed>.9.58.<removed>
  • <removed>aerda.mcdir.ru
  • <removed>blastart199.com
  • <removed>g44.com
  • <removed>g44444.com
  • <removed>start133333.com
  • <removed>ton-tm.org
  • <removed>ton-tm9999999.org

For additional details, you can read our Win32/Phdet family description.

Scott Molenkamp
-MMPC Melbourne

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments