2014-06-21 - Ddos
BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy
I didn't find any advert for what seems to be an evolution of the Ddos bot/botnet BlackEnergy : Microsoft:Backdoor:Win32/Phdet.S : BotnetKernel Bot.
Here is a C&C panel :
BotnetKernel C&C Panel : Control |
BotnetKernel C&C Panel : Control - Stats by Countries |
BotnetKernel C&C Panel : Control - Stats by Builds |
BotnetKernel C&C Panel : Plugins |
BotnetKernel C&C Panel : Plugins config : ddos |
BotnetKernel C&C Panel : Plugins config : http |
BotnetKernel C&C Panel : Plugins config : slow |
BotnetKernel C&C Panel :bot list |
BotnetKernel C&C Panel :bot list - Search (FR) - Cmd and Cfg on a bot |
Sandboxing it :
Force reboot captured by Cuckoo Sandbox |
C:\WINDOWS\system32\drivers\nethost.sys - f4827d3fc17af67f390b59f5ed04622c
C:\WINDOWS\system32\DLL1.tmp
Traffic (pcap at the end) :
http://nav555asto.mcdir.ru/ya/getcfg.php | POST /ya/getcfg.php HTTP/1.1 |
http://nav555asto.mcdir.ru/ya/getcfg.php | POST /ya/getcfg.php HTTP/1.1 |
http://nav555asto.mcdir.ru/ya/getcfg.php | POST /ya/getcfg.php HTTP/1.1 |
http://nav555asto.mcdir.ru/ya/getcfg.php | POST /ya/getcfg.php HTTP/1.1 |
06/21/2014-03:45:49.765657 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1072 -> 91.194.254.180:80 |
06/21/2014-03:45:47.325018 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 91.194.254.180:80 |
06/21/2014-03:45:48.563590 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1071 -> 91.194.254.180:80 |
Read more :
BlackEnergy Rootkit, Sort Of - 2014-06-13 - F-Secure
Nueva variante del rootkit Phdet.s de dificil deteciòn !!! - 2014-03-04 - SatInfo
MSRT December '12 - Phdet - 2012-12-11 - Scott Molenkamp - Microsoft
BlackEnergy Version 2 Analysis - 2010-03-10 - Joe Stewart - Dell Secureworks
Updated BlackEnergy DDos Botnet Kit - 2010-01-18 Dell
BlackEnergy DDoS Bot Analysis (PDF) - 2007-10 - Jose Nazario - Arbor.sert