BlackEnergy botnet 0days

 More information about the botnet kit . In short, there are well over 5000 modifications of the original kit. The kit is an interesting piece of technology. Read the linked article for detailed information.  

As for the command and control portion, it is poorly coded.  There are plenty of SQL injections

  • Within index.php, line 104, name your country with tainted data.  On line 106, it is assigned to a sql statement. Line 112, the sql statement is executed.
  • But why go to all that work? Much simpler SQL injection in index.php. Line 120, send an ID parameter with your tainted input. One line below, it is executed.
  • Or better yet, index.php’s line 132. Send the malicious data to the opt parameter. Then it is executed within the same line.

Hotness!  There are other SQL injections within stat.php but I leave that up to the reader to exercise their static source code analysis prowess.

BlackEnergy's source code

Google hack to find instances