In the past few weeks I’ve been looking at a lot of DDoS botnets, specifically HTTP botnets. Today I’m pleased to release a report on one of the network of botnets I’ve been looking at, based on the BlackEnergy toolkit. From the summary of the paper:
BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most
common bots, this bot does not communicate with the botnet master using IRC. Also, we
do not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small
(under 50KB) binary for the Windows platform that uses a simple grammar to
communicate. Most of the botnets we have been tracking (over 30 at present) are located
in Malaysian and Russian IP address space and have targeted Russian sites with their
This report is based on analysis of the distribution package of the BlackEnergy botnet,
tracking approximately 30 live and distinct botnets, and disassembly of several samples
captured in the wild.
I received a lot of additional data, binaries and reports from various researchers in the community. To respect their confidentiality, I credit them by initials in the paper. The bot’s only gotten marginal attention from malcode research people in the past few months. However, it’s a prototypical HTTP bot. BlackEnergy has been called a “skiddie tool” by someone I know, and looking at the attacks they’ve been launching I’m inclined to agree. The threat level from this botnet isn’t as high as it is from other botnets we’re tracking. Some graphics not in the paper are the botnet C&C locations and the DDoS targets. If you flip between them quickly you’ll notice some overlap; one botnet attacking another.
BlackEnergy HTTP C&C locations
BlackEnergy DDoS targets
You can download and read the report for yourself: BlackEnergy DDoS Bot Analysis [PDF], 11 pages.