Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: BlackEnergy DDoS - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BlackEnergy DDoS

Shadowserver has published their take on a recent series of DDoS attacks http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913. The control domains, victim industries, countries affected, and command communications are all listed in the article. Not a complete analysis of the BlackEnergy bot, and bots are not a new phenomenon, but server to remind that DDoS for hire is still around, botnets are still around, and that their impact can be devastating.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Is anything done by CERT or any related orgs/communities/authorities to fight it?

Are we just trying to research new malware developments and document their victims?

PS: I've personally reported the DDoS to CanCERT few weeks ago and received no response or help on the topic...
Anonymous
Control domains are .ru, though at least one of the names resolves to a Moldova netblock. Neither of which is surprising in the least.

At home I use the list of China and Korea netblocks maintained at www.okean.com to blackhole those pits of spam, phish, and malware. Does anyone know of an accurate, up-to-date list of netblocks for Russia, or for all of the former S.U.? I'm not so concerned about DDoS topics at home (though I wouldn't want my systems recruited for such an attack), but there's plenty of other badness lurking where there's little or no content we'd want or even be able to read.

It's not a perfect defense, I know, and it sure wouldn't fly at work. But many are the times there is an article here about the latest malware, and I find it's hosted in China and know it's nothing I have to worry about my family stumbling into. Though I hate the idea of chopping the i'net into disconnected pieces, Johnny can't read "#%=+@" anyway.

Know of any ex-su netblock lists?
Hal

50 Posts
@Ken: For rejection of spam (well, all emails) from certain countries, you can use the country-based RBL from nerd.dk (http://countries.nerd.dk)
Frank

24 Posts

Sign Up for Free or Log In to start participating in the conversation!