SecureWorks researcher Joe Stewart revealed details of his research into a Russian botnet that has taken the unusual step of targeting Russian banks - a change from the typical focus on snaring victims in the West. The botnet also has a plug-in architecture that allows attackers to extend its abilities without writing new source code.
Like the sequel to a
successful movie, the botnet behind the distributed denial of service attacks
that hit the country
during its conflict with Russia in 2008 has been updated.
This time though, the idea
isn't hacktivism-it's stealing financial data and, unlike in the case of other
Russian botnets, the targets are the operators' own countrymen.
"They haven't historically
gone after their own countrymen. ... It definitely looks like there's a trend
because since that discovery I found two ... different bot families that are also
targeting various Russian
[and] Ukranian banking application systems
," said Joe Stewart, security
researcher with SecureWorks' Counter Threat Unit.
Stewart pulled the
covers off from the botnet, which
he calls BlackEnergy 2,
this week at the
. According to
SecureWorks, BlackEnergy 2 has been in quiet development for over a year.
Though it still bears some of the hallmarks of the first BlackEnergy-the
botnet involved in the Georgia cyber-attacks-it also represents a
significant rewrite of the codebase and features a modular design that
uses plug-ins for its distributed denial of service (DDoS), spam and malware
"I started digging into
that [malware] plug-in a little more and realized it's a keylogger and a file
stealer for a very particular application," Stewart said. "Investigating that
application, [it] turns out it's a banking authentication system that's only
used by Russian and Ukranian banks.
"The one thing about
BlackEnergy's diving into cyber-fraud is that it's also got these DDoS
capabilities," he continued. "And what this criminal group is doing is they're
using this banking plug-in to steal authentication credentials and then they
are turning around and launching denial of service attacks against the same
banks that use this authentication system. So it would seem that what they're
doing is logging into the accounts and transferring money, and then launching
an attack against the bank to distract them perhaps from being able to notice
these transactions have occurred, or if they are getting notified, they are
paying more attention to this denial of service attack that's taken all of
their customers offline."
In addition, the
Trojan plug-in is accompanied by a module designed to destroy
the filesystem of an infected machine if it is given a "kill"
command. This plug-in architecture separates it from other botnets
in that it can be extended without writing new source code into
it, Stewart said.
"We're seeing more and
more of the malware become modular and keep a core Trojan that's responsible
for loading everything else on disk, allows them to swap things out more easily
[and] keeps them from having to write a bunch of stuff, have it all detected by
antivirus software and then have to recompile all that stuff," he said.
According to SecureWorks'
research, the hackers are infecting the bank customers with the Trojan
through pay-per-install malware scams, as well as possibly malicious e-mails
and compromised Russian sites.
"Detection is the
challenge," he said. "Trying to detect it on disk is always a
situation where the antivirus companies are going to be X number of days or
weeks behind just because it's so easy now for the virus authors, the Trojan
authors, to run their sample through a service that scans it through all the
different [antivirus] engines," Stewart said.
SecureWorks said the
company notified law enforcement about its findings.