Phdet is the family which has been added to the December 2012 release of the Malicious Software Removal Tool. Phdet is a family of backdoor trojans that have the ability to perform distributed denial of service (DDoS) attacks.

The bot can be found online, going by the formal name of "Black Energy". 

The DDoS bot has existed for a number of years, with initial detections added in 2007.

An attacker can build and configure binaries to perform different actions, and can specify the frequency and type of DoS to be performed, as illustrated in Figure 1.

  Win32/Phdet
Figure 1: "Black Energy" builder

 

The configuration can be updated via a web-based control panel, which is implemented in MySQL and PHP. The control panel also provides some basic statistics on the number of bots.

Network communications between the command and control server and the bot may be encrypted. Beneath the encryption, the information is exchanged in XML format. The bot also stores an encrypted copy of the internal configuration in a similar layout, as follows:

<?xml version="1.0" encoding="windows-1251"?>
<bkernel>
  <servers>
    <server>
      <type>http</type>
      <addr>hxxp://<removed>.215.2.7/company/contacts.php</addr>
    </server>
  </servers>
  <cmds>
  </cmds>
  <http_key>17635454375409656991655428185564513</http_key>
  <sleepfreq>600</sleepfreq>
  <build_id>2707</build_id>
</bkernel>

Examining the internal configuration from some of the most prevalent binaries from this year, the command and control hosts used are the following:

  • <removed>.239.24.<removed>
  • <removed>.9.58.<removed>
  • <removed>.9.58.<removed>
  • <removed>aerda.mcdir.ru
  • <removed>blastart199.com
  • <removed>g44.com
  • <removed>g44444.com
  • <removed>start133333.com
  • <removed>ton-tm.org
  • <removed>ton-tm9999999.org

For additional details, you can read our Win32/Phdet family description.

 

Scott Molenkamp
-MMPC Melbourne