Attackers are stepping up their development of a piece of distributed denial-of-service (DDoS) malware tied to attacks across the world.
The malware, dubbed ‘Black Revolution’, has been spotted attacking sites in the U.S., Russia, Germany and several other nations since April. According to researchers at Arbor Networks, popular targets have included gambling sites, hacking forums and DDoS-as-a-service providers.
“Compared to popular DDoS botnets like Dirtjumper and Yoyoddos, Blackrev is still small,” Dennis Schwarz, security research analyst for ASERT, Arbor Security Engineering Research Team, told SecurityWeek. “Since we started monitoring this botnet in late April, we’ve seen seven distinct [command and control] domains. Out of these, four have issued attack commands.”
According to Schwarz, there are four revisions to the malware in the wild today, of which version two is the most popular. A technical analysis of each of the revisions is available here.
“I would consider all of the revisions at a “medium” sophistication level,” he said. “There are a lot of common components we see in other malware that are missing from Blackrev: packed binaries, anti-debug/anti-virtual machine, and obfuscation/crypto.”
According to DDoS mitigation provider Prolexic Technologies, the bandwidth of DDoS attacks generally has jumped significantly this year. In its Quarterly Global DDoS Attack Report, the average attack bandwidth totaled 48.25 Gbps in the first quarter of 2013, a 718 percent increase over the fourth quarter of 2012.
In a survey of 130 network operators released earlier this year, Arbor Networks found that 46 percent reported multi-vector attacks that use combinations of volumetric, state-exhaustion and application-layer attack vectors to hit organizations at the same time. The attacks pose challenges because they require layered solutions across the data center and the cloud to be mitigated successfully. In the previous year’s report, only 27 percent of respondents reported these attacks.
Though Black Revolution Trojan has been revised multiple times by its authors, the reason for the changes does not seem to be selling the malware on the open market, as the onthar.in Malware Research Laboratory reported that it has not been seen being sold on underground forums yet. According to Schwarz, there were signs circa April 2013 that the code was under active development, and the associated campaigns were likely test runs.
“Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian,” blogged Schwarz. “But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.”
“It will be interesting to see how this family will evolve and how active it will become in the wild,” he added.