The latest threat of this kind has been discovered by researchers at the Electronic Frontier Foundation (EFF): "New Malware Targeting Syrian Activists Uses Blackshades Commercial Trojan.": https://www.eff.org/deeplinks/2012/07/new-blackshades-malware
On this occasion Trojan Blackshades were modified to record audio conversations captured by microphone from the infected computer without victims realized about it. Besides Trojan capture webcam images from user’s computer camera.
In recent war combat episodes has been seen the massive use of Internet as a weapon of Cyberwar, both to sabotage enemy systems, as well as communication system between armies and of course for information theft and spy the enemy.
In this time Trojan botkit BLACKSHADE has been used to intercept communications of Syrian activists. The country has full control of telecommunications and many of the activists they come from foreign countries and Internet is an essential way to communicate with far away relatives and coordinate tactics combat operations
So infect a single computer by a Trojan is a valuable asset to identify activists and their actions with the data captured by the Trojan, due the lack of Internet connections in the country, each computer is used by many of users getting a very high impact on recollection of information and data about movement of activists
Blackshade is a remote administration tool (RAT) used to control and command remotely infected computers with a fairly wide range of commands that can be launched against zombie computers.
This paper will detail about Trojan Blackshade knowledge and behavior
The structure of the blackshades botnet kit is the next:
Once victim's computer is infected by the malware, Trojan will communicate with the server that control full network Botnet using the following connection string:
Each botnet network has a secret password key to identify their computers zombies belonging to their network to prevent bots hickjacking by another criminal groups.
Here is an example of BlackShade connection string used to communicate with a Control panel which is inactive in this moment:
The login screen to access botnets Blackshade control panel is showed at picture below:
The control panel on domain laidojimopaslaugos.com were operative at the time of the report. Words "laidojimo paslaugos" means "funerary services" in Lithuanian language.
When access to the control panel has been authorized it shows a screen with statistical data from infected computers at that time
The administration panel of network botnet has several options in its menu. Panel Control Is able to launch commands on infected machines to order different actions as seen in the screen capture:
There are a variety of commands that allow almost full control on the compromised machines. These commands are:
Keylog - Searches for a keyword by a given text from the field 'Data'.
Passwords - Collects passwords from bots.
Screen capture - Collects screen captures from bots.
Webcam capture - Collects webcam captures from bots.
Botkiller - Removes external malware from your bots system.
Spreader - Add contact (MSN) - Adds a contact given in the field 'Data'
Spreader - Mass message (MSN) - Sends a message to bots contacts, given in the field 'Data'
Spreader - Torrent Seed - Downloads and starts seeding a given torrent from an URL given in the field 'Data'
Spreader - Facebook - Post a message on bots walls given in the field 'Data'
Download and execute - Downloads the given file in the field 'Data', then executes it.
Email grabber - Grabs any found emails and saves them to logs.
Update - Downloads the given file in the field 'Data', then executes it and removes the current bot.
Uninstall - Removes the bot completely.
Images captured from the webcam are stored in the path hxxp :/ / HOST_PANEL_CONTROL / WEBCAM / without the user realize that they are being recorded from the webcam as seen in this captures:
Passwords captured with the command keylog can be displayed in the option menu “passwords”:
As the list of logs captured from victims and stored in Control Panel.
This list is configured by the URL:
List of URLs and domains that are configured by default to capture confidential data from users when they access them is showed below:
Most of this sites that criminals are interested on are content files distribution sites like MegaUpload , e-commerce Webs and social networks sites.
Online Internet Marketing:http://forums.digitalpoint.com
Black Hat SEO Forum:http://blackhatworld.com
Unlimited free file storage:http://megashare.com
World of Warcraft:http://us.battle.net
EA Video Games:http://ea.com
Bank of America:http://bankofamerica.com
Fifth Third Bank:http://53.com
League of Legends LoL:http://leagueoflegends.com
Bootkit has also a module to perform DoS attacks distributed service DDoS employing the machines zombies as attack vectors .
There is a big diffusion of blackshade panels that have been employed in the past. Currently are operational a few of them as shown in the following list of domains they had been installed the Control Panel:
hXXp://botziabotnet.com/bs/ IP 188.8.131.52
hXXp://exal.me/ IP 184.108.40.206
hXXp://tonkraw.com/ IP 220.127.116.11
hXXp://albanenergy.com/bots/ IP 18.104.22.168
hXXp://hwf.dk/ IP 22.214.171.124
hXXp://www.hackingftw.com/BS/ IP 126.96.36.199
hXXp://laidojimopaslaugos.com/ IP 188.8.131.52
hXXp://yosoyhumilde.com/movil/ IP 184.108.40.206
hXXp://damejopo.com/fbs/ IP 220.127.116.11