pixel_dreams - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's the best defense against BlackEnergy malware?

The BlackEnergy malware has evolved from DDoS launching to a crimeware tool to an APT. Learn more about its changes and new defense measures for combatting the threat.

The BlackEnergy malware tool has integrated new features that extend its reach and viability beyond basic DDoS attacks. Can you explain what these new capabilities do? Are there any new methods of defending against the threat?

Basic distributed denial-of-service attacks are easy money for a criminal, but as more tools and services pop up for DDoS on-demand for hire, the price goes down in this competitive market. DDoS attacks are also starting to be better understood by defenders, and information security teams have learned to engage with their ISP to properly respond to DDoS attacks.

To remain relevant, BlackEnergy -- which started off as a DDoS launching tool -- turned into a crimeware tool targeting Windows systems and developed new features that help maintain its reach and viability. It has since evolved into an APT and expanded into almost a complete remote access Trojan. The controller can search the file system, steal passwords, take screenshots, keylog and steal certificates. BlackEnergy malware has also developed robust plug-in and module capabilities that allow an attacker to develop custom attacks based on core functionality -- much like the Metasploit project. Most recently, the malware has been connected to multi-year attack campaigns against U.S. industrial control system networks.

Defending against the new functionality in BlackEnergy requires broader measures than just protecting against the original Windows-based malware. With new target platforms for Cisco routers and MIPS- and ARM-based systems, the defenses must cover all of these platforms, as well as Linux systems; be sure to integrate these platforms into current security controls such as secure configurations and rigorous patch management.

Defenses include basic good information security hygiene: keeping all of the software updated with the latest patches, using secure configurations, and using strong passwords and/or multifactor authentication. Defenses should also include the other security basics such as log and network monitoring.

Ask the Expert:
Perplexed about enterprise security? Send Nick Lewis your questions today. (All questions are anonymous.)

Next Steps

Learn more about tracking and preventing crimeware attacks

This was last published in June 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal