logo Welcome, Guest. Please Login or Register.
2024-03-28 05:33:12 CoV Wiki
Learn more about the Church of Virus
Home Help Search Login Register
News: Donations now taken through PayPal

  Church of Virus BBS
  General
  Science & Technology

  BlackEnergy 2's one-two punch
« previous next »
Pages: [1] Reply Notify of replies Send the topic Print 
   Author  Topic: BlackEnergy 2's one-two punch  (Read 1380 times)
Fritz
Archon
*****

Gender: Male
Posts: 1746
Reputation: 8.77
Rate Fritz





View Profile WWW E-Mail
BlackEnergy 2's one-two punch
« on: 2010-06-16 17:07:39 »
Reply with quote

ONline banking hmmm; No one mentions that many still do not use an external certificate authority and there by invite spoofing to capture credentials.

"We've off to see the wizard the wonderful wizard of OZ ... ignore the man behind the curtain."

Fritz


Eastern European banks under attack by next-gen crime app


Source: The Register
Author: Dan Goodin in San Francisco
Date: 2010.06.16

Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack.

The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.


The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.

“Over the months that I've been monitoring this botnet, it's attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”

BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.

BlackEnergy 2, which Stewart first began monitoring in 2009, greatly expands what the software can do. It brings modular functionality to the tool, so separate programmers can write plug-in programs in much the way developers do for the Firefox browser. The gangs Stewart is monitoring are combining BlackEnergy's core DDoS functionality with an add-on to hack the Java authentication application, said Stewart, who presented his findings at this week's FIRST, or Forum of Incident Response and Security Team, conference in Miami.

“It's a good technique to keep [bank employees] distracted while they get the money moved out,” Stewart said. It also “keeps people whose money is in transfer from logging on and seeing what's happening.”

Bank customers victimized in the attacks are being targeted by trojans disguised as pay-per-install applications

In a major break from previous methods, the gangs are exclusively attacking banks in Russia and Ukraine. Previously, they went out of their way to avoid attacking banks in the region, presumably out of fear of attracting attention of law enforcement agents in the criminals' own backyard. Stewart said he's seen at least two unrelated bank fraud scams exclusively targeting banks in Russia and Ukraine, including the Bredavi trojan.

Stewart's report is below:

BlackEnergy Version 2 Analysis

Source:  http://www.secureworks.com/research/threats/blackenergy2
Date: March 3, 2010
Author: Joe Stewart, Security Researcher with the SecureWorks' Counter Threat Unit (CTU)

Introduction

BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict.  BlackEnergy was  authored by a Russian hacker. A comprehensive analysis of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks. Although many versions of the trojan builder kit are in circulation on underground forums, the last release of the original BlackEnergy trojan available at the time of this writing seems to be version 1.9.2.

It appears however that BlackEnergy 2 has been in quiet development for over a year, and is a top-to-bottom rewrite of the codebase. Although there have been no public releases of the trojan builder kit for BlackEnergy 2 at this time (and thus we do not have any documentation actually containing the name "BlackEnergy 2", it is certain that this new trojan is the successor to BlackEnergy version 1, even if the author chooses to rename it. Various fingerprints of the original BlackEnergy codebase can be found throughout the new trojan, along with fingerprints of other source codes which were released by the author at different times. This analysis will refer to BlackEnergy version 2 as “BE2” at times throughout for the sake of brevity.

Unlike the old BlackEnergy versions, BlackEnergy 2 uses modern rootkit/process-injection techniques, strong encryption and a modular architecture. The original BlackEnergy kit did have a rudimentary trojan component used to hide the trojan executable and process, but BlackEnergy 2 is much more sophisticated. The basis for the new rootkit seems to be found in an older rootkit project released by the author called "BlackReleaver". Analysis of the code has shown that the older rootkit source code has been combined with new functions for unpacking and injecting modules into user processes and is now the core of the new rootkit-based BlackEnergy 2.



There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver.  Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit, so this detection is not surprising. Even at a high level, there are some common tactics, such as the use of a "matryoshka doll" architecture (see ThreatExpert's blog entry "Rustock.C - Unpacking a Nested Doll"). <snip>

« Last Edit: 2010-06-16 17:13:07 by Fritz » Report to moderator   Logged

Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains -anon-
Pages: [1] Reply Notify of replies Send the topic Print 
Jump to:


Powered by MySQL Powered by PHP Church of Virus BBS | Powered by YaBB SE
© 2001-2002, YaBB SE Dev Team. All Rights Reserved.

Please support the CoV.
Valid HTML 4.01! Valid CSS! RSS feed