Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Arbor Networks Goes Inside Development of BlackRev DDoS Malware

Attackers are stepping up their development of a piece of distributed denial-of-service (DDoS) malware tied to attacks across the world.

Attackers are stepping up their development of a piece of distributed denial-of-service (DDoS) malware tied to attacks across the world.

The malware, dubbed ‘Black Revolution’, has been spotted attacking sites in the U.S., Russia, Germany and several other nations since April. According to researchers at Arbor Networks, popular targets have included gambling sites, hacking forums and DDoS-as-a-service providers.

“Compared to popular DDoS botnets like Dirtjumper and Yoyoddos, Blackrev is still small,” Dennis Schwarz, security research analyst for ASERT, Arbor Security Engineering Research Team, told SecurityWeek. “Since we started monitoring this botnet in late April, we’ve seen seven distinct [command and control] domains. Out of these, four have issued attack commands.”

According to Schwarz, there are four revisions to the malware in the wild today, of which version two is the most popular. A technical analysis of each of the revisions is available here.

“I would consider all of the revisions at a “medium” sophistication level,” he said. “There are a lot of common components we see in other malware that are missing from Blackrev: packed binaries, anti-debug/anti-virtual machine, and obfuscation/crypto.”

According to DDoS mitigation provider Prolexic Technologies, the bandwidth of DDoS attacks generally has jumped significantly this year. In its Quarterly Global DDoS Attack Report, the average attack bandwidth totaled 48.25 Gbps in the first quarter of 2013, a 718 percent increase over the fourth quarter of 2012.

In a survey of 130 network operators released earlier this year, Arbor Networks found that 46 percent reported multi-vector attacks that use combinations of volumetric, state-exhaustion and application-layer attack vectors to hit organizations at the same time. The attacks pose challenges because they require layered solutions across the data center and the cloud to be mitigated successfully. In the previous year’s report, only 27 percent of respondents reported these attacks.

Though Black Revolution Trojan has been revised multiple times by its authors, the reason for the changes does not seem to be selling the malware on the open market, as the Malware Research Laboratory reported that it has not been seen being sold on underground forums yet. According to Schwarz, there were signs circa April 2013 that the code was under active development, and the associated campaigns were likely test runs.

“Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian,” blogged Schwarz. “But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.”

“It will be interesting to see how this family will evolve and how active it will become in the wild,” he added.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...