Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Russian Banking Trojan BlackEnergy 2 Unmasked at RSA

    By
    Brian Prince
    -
    March 4, 2010
    Share
    Facebook
    Twitter
    Linkedin

      Like the sequel to a successful movie, the botnet behind the distributed denial of service attacks that hit the country of Georgia during its conflict with Russia in 2008 has been updated.

      This time though, the idea isn’t hacktivism-it’s stealing financial data and, unlike in the case of other Russian botnets, the targets are the operators’ own countrymen.

      “They haven’t historically gone after their own countrymen. … It definitely looks like there’s a trend because since that discovery I found two … different bot families that are also targeting various Russian [and] Ukranian banking application systems,” said Joe Stewart, security researcher with SecureWorks’ Counter Threat Unit.

      Stewart pulled the covers off from the botnet, which he calls BlackEnergy 2, this week at the RSA conference in San Francisco. According to SecureWorks, BlackEnergy 2 has been in quiet development for over a year. Though it still bears some of the hallmarks of the first BlackEnergy-the botnet involved in the Georgia cyber-attacks-it also represents a significant rewrite of the codebase and features a modular design that uses plug-ins for its distributed denial of service (DDoS), spam and malware capabilities.

      “I started digging into that [malware] plug-in a little more and realized it’s a keylogger and a file stealer for a very particular application,” Stewart said. “Investigating that application, [it] turns out it’s a banking authentication system that’s only used by Russian and Ukranian banks.

      “The one thing about BlackEnergy’s diving into cyber-fraud is that it’s also got these DDoS capabilities,” he continued. “And what this criminal group is doing is they’re using this banking plug-in to steal authentication credentials and then they are turning around and launching denial of service attacks against the same banks that use this authentication system. So it would seem that what they’re doing is logging into the accounts and transferring money, and then launching an attack against the bank to distract them perhaps from being able to notice these transactions have occurred, or if they are getting notified, they are paying more attention to this denial of service attack that’s taken all of their customers offline.”

      In addition, the Trojan plug-in is accompanied by a module designed to destroy the filesystem of an infected machine if it is given a “kill” command. This plug-in architecture separates it from other botnets like Zeus in that it can be extended without writing new source code into it, Stewart said.

      “We’re seeing more and more of the malware become modular and keep a core Trojan that’s responsible for loading everything else on disk, allows them to swap things out more easily [and] keeps them from having to write a bunch of stuff, have it all detected by antivirus software and then have to recompile all that stuff,” he said.

      According to SecureWorks’ research, the hackers are infecting the bank customers with the Trojan through pay-per-install malware scams, as well as possibly malicious e-mails and compromised Russian sites.

      “Detection is the challenge,” he said. “Trying to detect it on disk is always a situation where the antivirus companies are going to be X number of days or weeks behind just because it’s so easy now for the virus authors, the Trojan authors, to run their sample through a service that scans it through all the different [antivirus] engines,” Stewart said.

      SecureWorks said the company notified law enforcement about its findings.

      Avatar
      Brian Prince

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×