BlackEnergy DDoS

Published: 2010-09-14. Last Updated: 2011-01-24 23:35:33 UTC
by Adrien de Beaupre (Version: 1)
3 comment(s)

Shadowserver has published their take on a recent series of DDoS attacks http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913. The control domains, victim industries, countries affected, and command communications are all listed in the article. Not a complete analysis of the BlackEnergy bot, and bots are not a new phenomenon, but server to remind that DDoS for hire is still around, botnets are still around, and that their impact can be devastating.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: blackenergy ddos
3 comment(s)

Comments

Is anything done by CERT or any related orgs/communities/authorities to fight it?

Are we just trying to research new malware developments and document their victims?

PS: I've personally reported the DDoS to CanCERT few weeks ago and received no response or help on the topic...
Control domains are .ru, though at least one of the names resolves to a Moldova netblock. Neither of which is surprising in the least.

At home I use the list of China and Korea netblocks maintained at www.okean.com to blackhole those pits of spam, phish, and malware. Does anyone know of an accurate, up-to-date list of netblocks for Russia, or for all of the former S.U.? I'm not so concerned about DDoS topics at home (though I wouldn't want my systems recruited for such an attack), but there's plenty of other badness lurking where there's little or no content we'd want or even be able to read.

It's not a perfect defense, I know, and it sure wouldn't fly at work. But many are the times there is an article here about the latest malware, and I find it's hosted in China and know it's nothing I have to worry about my family stumbling into. Though I hate the idea of chopping the i'net into disconnected pieces, Johnny can't read "#%=+@" anyway.

Know of any ex-su netblock lists?
@Ken: For rejection of spam (well, all emails) from certain countries, you can use the country-based RBL from nerd.dk (http://countries.nerd.dk)

Diary Archives