Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

Posted by samzenpus on from the new-weapon dept.

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

3 of 50 comments (clear)

  1. Installs itself through SndVol.exe by xxxJonBoyxxx · · Score: 5, Informative

    This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
    (https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)

  2. Dropbear by gb7djk · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

  3. Grammatical ambiguity [Re:Dropbear] by XXongo · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

    The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."

    This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

    That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.