Kelihos botnet

Last updated

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins. [1]

Contents

History

The Kelihos botnet was first discovered around December 2010. [2] Researchers originally suspected having found a new version of either the Storm or Waledac botnet, due to similarities in the modus operandi and source code of the bot, [3] [4] but analysis of the botnet showed it was instead a new, 45,000-infected-computer-strong, botnet that was capable of sending an estimated 4 billion spam messages a day. [5] [6] In September 2011 [7] Microsoft took down the botnet in an operation codenamed "Operation b79". [5] [8] At the same time, Microsoft filed civil charges against Dominique Alexander Piatti, dotFREE Group SRO and 22 John Doe defendants for suspected involvement in the botnet for issuing 3,700 subdomains that were used by the botnet. [8] [9] These charges were later dropped when Microsoft determined that the named defendants did not intentionally aid the botnet controllers. [10] [11]

In January 2012 a new version of the botnet was discovered, one sometimes referred to as Kelihos.b or Version 2, [1] [6] [7] consisting of an estimated 110,000 infected computers. [1] [12] During this same month Microsoft pressed charges against Russian citizen Andrey Sabelnikov, a former IT security professional, for being the alleged creator of the Kelihos Botnet sourcecode. [11] [13] [14] The second version of the botnet itself was shut down by it in March 2012 by several privately owned firms by sinkholing it – a technique which gave the companies control over the botnet while cutting off the original controllers. [2] [15]

Following the shutdown of the second version of the botnet, a new version surfaced as early as 2 April, though there is some disagreement between research groups whether the botnet is simply the remnants of the disabled Version 2 botnet, or a new version altogether. [16] [17] This version of the botnet currently consists of an estimated 70,000 infected computers. The Kelihos.c version mostly infects computers through Facebook by sending users of the website malicious download links. Once clicked, a Trojan horse named Fifesoc is downloaded, which turns the computer into a zombie, which is part of the botnet. [18]

On 24 November 2015 a Kelihos botnet event occurred causing widespread false positives of blacklisted IPs:

″November 24, 2015 Widespread false positives

Earlier today, a very large scale Kelihos botnet event occurred - by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn't an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.

The email was allegedly from the US Federal Reserve, saying something about restrictions in "U.S. Federal Wire and ACH online payments." Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza or Dridex malware.

The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.″ [19]

An affidavit unsealed on 5 February 2018, showed Apple's unexpected role in bringing the Russian spam king to justice. Peter Levashov allegedly ran the Kelihos botnet under the alias "Severa", renting out access to spammers and other cybercriminals. But despite Levashov's significant efforts at anonymity, court records show that federal agents had been surveilling his iCloud account since 20 May 2016, funneling back crucial information that may have led to his arrest. The standing federal iCloud warrant would have given authorities a running tab of IP addresses used to log in to the account, which could easily have tipped them off to his vacation in Barcelona, Spain, and was arrested at the request of US law enforcement and extradited to the United States for prosecution. [20]

Structure, operations and spread

The Kelihos botnet is a so-called peer-to-peer botnet, where individual botnet nodes are capable of acting as command-and-control servers for the entire botnet. In traditional non-peer-to-peer botnets, all the nodes receive their instructions and "work" from a limited set of servers – if these servers are removed or taken down, the botnet will no longer receive instructions and will therefore effectively shut down. [21] Peer-to-peer botnets seek to mitigate that risk by allowing every peer to send instructions to the entire botnet, thus making it more difficult to shut down. [2]

The first version of the botnet was mainly involved in denial-of-service attacks and email spam, while version two of the botnet added the ability to steal Bitcoin wallets, as well as a program used to mine bitcoins itself. [2] [22] Its spam capacity allows the botnet to spread itself by sending malware links to users in order to infect them with a Trojan horse, though later versions mostly propagate over social network sites, in particular through Facebook. [16] [23] A more comprehensive list of the Kelihos spam can be found in the following research paper. [24]

U.S. v. Levashov Search Warrant (Unsealed) 370818138-US-v-Levashov-indictment.pdf
U.S. v. Levashov Search Warrant (Unsealed)

Arrest and extradition

On 2 February 2018, the United States Department of Justice announced that a Russian national has been extradited from Spain and will be arraigned in Connecticut on charges stemming from his alleged operation of the Kelihos botnet. Peter Yuryevich Levashov, 37, also known as Pyotr Levashov, [25] Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, was detained on 7 April 2017 in Barcelona, when he was arrested by Spanish authorities based upon a criminal complaint and arrest warrant issued in the United States District of Connecticut. [26] On 3 February 2018, he pleaded not guilty to the charges of wire and email fraud, hacking, identity theft and conspiracy after appearing before a federal judge in the U.S. state of Connecticut. He remains in detention. [25] In September 2018, Levashov pleaded guilty. [27]

See also

Related Research Articles

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cyber crime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin. Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.

<span class="mw-page-title-main">Peter Levashov</span> Russian spammer and virus creator (born 1980)

Peter Levashov is a Russian spammer and virus creator. He was described by The Spamhaus Project as one of the longest functioning criminal spam operators on the internet. In July 2021, a US federal judge overruled government recommendations for a 12 to 14.5 year prison sentence, giving a sentence instead of time served, with three years of supervision. Levashov remains in the US, having started a business called SeveraDAO.

Trickbot is computer malware, a trojan for the Microsoft Windows and other operating systems, and the cybercrime group behind this. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. The Trickbot cybercrime organization is large and well-organized, with possible connections to Russian intelligence agencies.

<span class="mw-page-title-main">Cryptojacking</span> Hijacking computers to mine currency

Cryptojacking is the act of hijacking a computer to mine cryptocurrencies against the user's will, through websites, or while the user is unaware. One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown. The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.

References

  1. 1 2 3 Mills, Elinor (28 March 2012). "110,000 PC-strong Kelihos botnet sidelined". CNET . Retrieved 28 April 2012.
  2. 1 2 3 4 Ortloff, Stefan (28 March 2012). "FAQ: Disabling the new Hlux/Kelihos Botnet". Securelist.com . Retrieved 19 May 2020.
  3. Adair, Steven (30 December 2010). "New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?". Shadowserver. Retrieved 28 April 2012.
  4. Donohue, Brian (29 March 2012). "Kelihos Returns: Same Botnet or New Version?". Threatpost. Archived from the original on 4 April 2012. Retrieved 28 April 2012.
  5. 1 2 Mills, Elinor (27 September 2011). "Microsoft halts another botnet: Kelihos". CNet . Retrieved 28 April 2012.
  6. 1 2 Kirk, Jeremy (1 February 2012). "Kelihos botnet, once crippled, now gaining strength". Network World . Archived from the original on 5 September 2012. Retrieved 28 April 2012.
  7. 1 2 Constantin, Lucian (28 March 2012). "Security Firms Disable the Second Kelihos Botnet". PCWorld . Retrieved 28 April 2012.
  8. 1 2 Boscovich, Richard (27 September 2011). "Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case". Microsoft TechNet . Retrieved 28 April 2012.
  9. Microsoft (26 September 2011). "Operation b79 (Kelihos) and Additional MSRT September Release". Microsoft Technet . Retrieved 28 April 2012.
  10. Latif, Lawrence (27 October 2011). "Microsoft drops Kelihos botnet allegations against ISP owner". The Inquirer . Archived from the original on 30 October 2011. Retrieved 28 April 2012.{{cite web}}: CS1 maint: unfit URL (link)
  11. 1 2 Gonsalves, Antone (24 January 2012). "Microsoft Says Ex-Antivirus Maker Ran Botnet". CRN Magazine . Retrieved 28 April 2012.
  12. Warren, Tom (29 March 2012). "Second Kelihos botnet downed, 116,000 machines freed". The Verge . Retrieved 28 April 2012.
  13. Brewster, Tom (24 January 2012). "Microsoft suspects ex-antivirus worker of Kelihos botnet creation". IT PRO. Retrieved 28 April 2012.
  14. Keizer, Gregg (24 January 2012). "Accused Kelihos botnet maker worked for two security firms | ITworld". ITworld . Retrieved 28 April 2012.
  15. Donohue, Brian (28 March 2012). "Kaspersky Knocks Down Kelihos Botnet Again, But Expects Return". ThreatPost. Archived from the original on 12 April 2012. Retrieved 28 April 2012.
  16. 1 2 Raywood, Dan (2 April 2012). "CrowdStrike researchers deny that Kelihos has spawned a new version – SC Magazine UK". SC Magazine . Retrieved 29 April 2012.
  17. Leyden, John (29 March 2012). "Kelihos zombies erupt from mass graves after botnet massacre". The Register . Retrieved 28 April 2012.
  18. SPAMfighter News (13 April 2012). "Kelihos Botnet Re-emerges, This Time Attacking Social Networks". SPAMfighter. Retrieved 28 April 2012.
  19. http://www.abuseat.org [ full citation needed ]
  20. "Feds tracked down Russian spam kingpin with help from his iCloud account". The Verge. Retrieved 6 February 2018.
  21. Grizzard, Julian; David Dagon; Vikram Sharma; Chris Nunnery; Brent ByungHoon Kang (3 April 2007). "Peer-to-Peer Botnets: Overview and Case Study". The Johns Hopkins University Applied Physics Laboratory . Retrieved 28 April 2012.
  22. SPAMfighter (5 April 2012). "Security Companies Take Down Kelihos Botnet of Version 2". SPAMfighter. Retrieved 28 April 2012.
  23. Jorgenson, Petra (6 April 2012). "Kelihos Botnet Could Resurge via Facebook Worm". Midsize Insider. Retrieved 29 April 2012.
  24. Arora, Arsh; Gannon, Max; Warner, Gary (15 May 2017). "Kelihos Botnet: A Never-Ending Saga". Annual ADFSL Conference on Digital Forensics, Security and Law.
  25. 1 2 "Russian accused of running spam network extradited to US". Deutsche Welle . 3 February 2018. Retrieved 2 April 2019.
  26. "Alleged Operator of Kelihos Botnet Extradited From Spain". www.justice.gov. 2 February 2018. Retrieved 3 February 2018.
  27. Farivar, Cyrus (13 September 2018). "Russian man pleads guilty, admits he ran notorious Kelihos botnet". ArsTechnica . Retrieved 2 April 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.