14 DAY TRIAL // Recently, a sample of the BlackEnergy Trojan has been uploaded on Google’s VirusTotal service, that offers free scanning of files with multiple antivirus engines.
It is a modification of the previous threat, which, according to F-Secure, has distanced from the characteristics of a rootkit since hiding of files and registries is no longer carried out; however, the analyzed sample does include latent routines that hide processes.
These rely on direct kernel object manipulation (DKOM), a method used by rootkits to obscure damaging processes, drivers or files.
This is also the reason the “malware keeps a hard coded list of offsets in kernel structures” in order to run on multiple builds of Windows.
According to the report from F-Secure, the Trojan has been adapted to support the latest versions of Windows operating system, 8 and 8.1.
Created by a Russian hacker, the BlackEnergy malware was reported to have been used in cyber attacks against Georgia (the country) back in 2008.
There is no information about the threat lurking in the wild, but, since it has been collected by VirusTotal services, there are good chances that antivirus vendors have already prepared detection and disinfection routines.
Furthermore, the sample is not signed, which makes it more difficult to infect a system because of the driver verification mechanism in the modern Windows. However, if the operating system feature is disabled, attackers can take over the computer through BlackEnergy.