elf.mrblack (Back to overview)


MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

2015-12-03360 Internet Security CenterYa Liu
@techreport{liu:20151203:automatically:7e1f412, author = {Ya Liu}, title = {{Automatically Classifying Unknown Bots by The REGISTER Messages}}, date = {2015-12-03}, institution = {360 Internet Security Center}, url = {}, language = {English}, urldate = {2022-07-01} } Automatically Classifying Unknown Bots by The REGISTER Messages
Dofloo MrBlack XOR DDoS DarkShell
2014-05-15Dr.WebDr. Web
@online{web:20140515:ddos:42ce265, author = {Dr. Web}, title = {{DDoS Trojans attack Linux}}, date = {2014-05-15}, organization = {Dr.Web}, url = {}, language = {English}, urldate = {2019-07-11} } DDoS Trojans attack Linux

There is no Yara-Signature yet.