Stronger, Smarter Botnet Appears

Monday, February 11, 2013 @ 02:02 PM gHale

They keep getting better and stronger as a new version of the Kelihos botnet, one that comes with a stronger ability to fight off sinkholing techniques and a feature that enables it to stay on infected machines for long periods to help avoid detection.

The botnet can hide the domains it uses for command-and-control and malware distribution.

Nap Trojan Copies Times Attack
New Exploit Kit: Whitehole
Hacker Proves Lack of Security
Mobile Ad Malware Toolkits on Rise

This is the third time the Kelihos botnet has come back to life. The first two times security researchers were able to sinkhole the domains that Kelihos was using, effectively crippling the attackers’ ability to communicate with infected machines.

The first Kelihos botnet takedown in 2011 was a joint effort between Kaspersky Lab and Microsoft and the teams were able to reverse-engineer the communications protocol that the bots use. Kelihos, also known as Hlux, is a peer-to-peer botnet, meaning there is no central server or servers that spit out new commands for the bots.

The network relies on a complex system that governs which domains the bots contact in order to get new malware samples, instructions and other information. Researchers at FireEye and Deep End Research have been analyzing new samples of the malware used in the Kelihos network and said the botnet is back on the rise. Once the malicious code is on a machine, it calls out to a domain in Russia. The malware, known as Trojan Nap, then sets a specific parameter that will have the malware’s operation timeout after 10 minutes.

“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.

Kaspersky Lab researchers have been analyzing the malware and the botnet’s structure and have found around midday on Monday, there were more than 8,500 unique IP addresses behind, one of the Russian domains used by the Kelihos botnet for fast-flux operations. That number isn’t exact, though, as there could be many IPs behind NAT devices.

The malware performs a variety of different functions, including stealing passwords saved in browsers, sending spam, stealing passwords from various FTP applications and stealing BitCoin data. The domains used in the operation are in Russia, and they resolve to a variety of different IP addresses each time a bot connects.

“The two domains, ‘’ and ‘,’ appear to be a part of the fast flux network. Normally, fast flux networks are used when the attacker wants to be extra careful to hide their identity. In contrast to a typical fast flux setup where multiple IPs are returned in a DNS response, this one returns a single IP, which looks like another attempt to appear normal,” the FireEye researchers said.

“After the first execution the downloaded code resets the permission to hide itself and opens high TCP ports for listening. Some of the ports that we have observed are 49163, 49172, and 49175. It then communicates to the external domains.”

This iteration of the Kelihos botnet is a new version of the network and not a case of the older infrastructure coming back to life. There was a second version of Kelihos that emerged last year, a few months after the first takedown operation. The second takedown of Kelihos occurred in March.

Leave a Reply

You must be logged in to post a comment.