Botnet Back and Thriving

Wednesday, December 12, 2012 @ 02:12 PM gHale


Last year’s takedown of Kelihos was one of Microsoft’s high-profile security success stories, but the botnet is back this year using dynamic fast-flux techniques to avoid detection and further shutdowns.

As this year winds down, Kelihos is still going strong, now relying on double fast-flux domains to spread spam and malware. Kelihos has also switched top-level domains, moving to .ru from .eu, according to an analysis from a researcher at abuse.ch. Adding more intensity to the botnet, is it can now spread via removable drives such as USB storage devices.

RELATED STORIES
Botnet Hides on Tor Network
New Attacks from ‘Gameover’ Gang
Nitol Botnet Shares China Code
Cloud Ripe for Botnet Attacks

Once this latest update of Kelihos infects a computer, it connects with a .ru domain hosting its command and control looking for updates. The .ru domain is double fast-flux hosted, said the abuse.ch who preferred anonymity. Once an updated version of Kelihos goes to the infected machine, it will infect any removable drives attached to the computer by exploiting the same vulnerability as Stuxnet. CVE-2010-2568 is a Windows Shell vulnerability that would give an attacker remote access via a malicious .LNK or .PIF shortcut file not properly handled by Windows Explorer during icon display. Researchers found malware exploiting this vulnerability and CVE-2010-2772 in Siemens WinCC SCADA systems in July 2010.

The switch to .ru domains happened during the summer, according to the report, and the attackers have a lengthy list of sites from which to send new binaries updating the botnet, all registered to REGGI-RU, a registrar in Russia. The botnet operators, however, are using a registrar in the Bahamas to register the name server domains providing DNS resolution to the Russian domains hosting malware, the site said.

“Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure,” the researcher said. “By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.”

Kelihos boasts up to 150,000 spambots per day, the same level of activity as the Cutwail botnet, just found to be spamming out the Gameover variant of the Zeus Trojan.



Leave a Reply

You must be logged in to post a comment.