CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Arbor Networks Goes Inside Development of BlackRev DDoS Malware

Attackers are stepping up their development of a piece of distributed denial-of-service (DDoS) malware tied to attacks across the world.

Attackers are stepping up their development of a piece of distributed denial-of-service (DDoS) malware tied to attacks across the world.

The malware, dubbed ‘Black Revolution’, has been spotted attacking sites in the U.S., Russia, Germany and several other nations since April. According to researchers at Arbor Networks, popular targets have included gambling sites, hacking forums and DDoS-as-a-service providers.

“Compared to popular DDoS botnets like Dirtjumper and Yoyoddos, Blackrev is still small,” Dennis Schwarz, security research analyst for ASERT, Arbor Security Engineering Research Team, told SecurityWeek. “Since we started monitoring this botnet in late April, we’ve seen seven distinct [command and control] domains. Out of these, four have issued attack commands.”

According to Schwarz, there are four revisions to the malware in the wild today, of which version two is the most popular. A technical analysis of each of the revisions is available here.

“I would consider all of the revisions at a “medium” sophistication level,” he said. “There are a lot of common components we see in other malware that are missing from Blackrev: packed binaries, anti-debug/anti-virtual machine, and obfuscation/crypto.”

According to DDoS mitigation provider Prolexic Technologies, the bandwidth of DDoS attacks generally has jumped significantly this year. In its Quarterly Global DDoS Attack Report, the average attack bandwidth totaled 48.25 Gbps in the first quarter of 2013, a 718 percent increase over the fourth quarter of 2012.

In a survey of 130 network operators released earlier this year, Arbor Networks found that 46 percent reported multi-vector attacks that use combinations of volumetric, state-exhaustion and application-layer attack vectors to hit organizations at the same time. The attacks pose challenges because they require layered solutions across the data center and the cloud to be mitigated successfully. In the previous year’s report, only 27 percent of respondents reported these attacks.

Though Black Revolution Trojan has been revised multiple times by its authors, the reason for the changes does not seem to be selling the malware on the open market, as the onthar.in Malware Research Laboratory reported that it has not been seen being sold on underground forums yet. According to Schwarz, there were signs circa April 2013 that the code was under active development, and the associated campaigns were likely test runs.

Advertisement. Scroll to continue reading.

“Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian,” blogged Schwarz. “But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.”

“It will be interesting to see how this family will evolve and how active it will become in the wild,” he added.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.