blog trackingRealtime Web Statistics Kelihos Archives | Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘Kelihos’

Kelihos gang building a new botnet, researchers say

The cybercriminal gang that operated the recently disabled Kelihos botnet has already begun building a new botnet with the help of a Facebook worm, according to security researchers from Seculert.

Security experts from Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, announced that they took control of the 110,000 PC-strong Kelihos botnet earlier this week.

The researchers used a method called sinkholing, which involves infiltrating the botnet’s peer-to-peer (P2P) network with rogue clients and tricking the other peers to report back to command and control servers under their control.

However, one day after the successful sinkholing operation was announced, malware experts from security firm Seculert reported that the Kelihos gang had already started building a new botnet.

The Kelihos gang pays the creators of a Facebook worm to install their Trojan horse on already infected computers. That worm has compromised over 70,000 Facebook accounts so far and is currently distributing a new version of the Kelihos Trojan, Seculert security researchers said yesterday.

However, the Kelihos gang can also leverage the Facebook worm to regain control of the Kelihos bots sinkholed by Kaspersky and its partners, since the worm is still installed on those machines. All it needs to do in order to bypass the sinkhole is pay the worm’s operators to reinfect those computers with the new Kelihos version, Seculert’s chief technology officer Aviv Raff said.

Sinkholing alone does not result in the complete takedown of botnets, because it doesn’t impact the cybercriminals that operate them or their distribution infrastructure, said Gunter Ollmann, vice president of research at security company Damballa.

“If you’re going to take down a botnet you have to take out the criminals at the top. It’s the only way,” Ollmann said. “In the case of P2P-based botnets, there’s very little infrastructure you can get your hands on — and you’ll probably end up having to issue commands to botnet victim devices — which is fraught with legal and ethical problems.”

Ollmann believes that a similar group of researchers will probably attempt to sinkhole the new Kelihos botnet in the future. He said that cybercriminals can easily escape from this virtual game of Whac-A-Mole by implementing domain generation algorithms as a backup strategy for updating their botnets.

Article source:

View full post on National Cyber Security » Computer Hacking

Kelihos botnet mark II taken down by security firms

A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners in September 2011.

The Kelihos botnet, also known as Hlux, is considered the successor of the Waledac and Storm botnets. Like its predecessors, it has a peer-to-peer-like architecture and was primarily used for spam and launching DDoS (distributed denial-of-service) attacks.

In September 2011, a coalition of companies that included Microsoft, Kaspersky Lab, SurfNET and Kyrus Tech, managed to take control of the original Kelihos botnet and disable its command-and-control infrastructure.


However, back in January, Kaspersky Lab researchers discovered a new version of the botnet, which had an improved communication protocol and the ability to mine and steal Bitcoins, a type of virtual currency.

Last week, after analysing the new botnet for the past several months, the new group of experts decided to launch a new takedown operation, said Stefan Ortloff of Kaspersky Lab yesterday.

Disabling botnets with a decentralised architecture like Kelihos is more complicated than simply taking over a few command-and-control servers, because the botnet clients are also able to exchange instructions among themselves.

In order to prevent the botnet’s authors from updating the botnet through the peer-to-peer infrastructure, the security companies had to set up rogue botnet clients around the world and use special techniques to trick all other infected machines to only connect to servers operated by Kaspersky Lab. This is known as sinkholing, said CrowdStrike researcher Tillmann Werner.

110,000 infected hosts

Once the majority of the botnet clients connected to the sinkhole servers, the researchers realised that the second Kelihos botnet was significantly larger than the one taken down in September 2011. It has almost 110,000 infected hosts compared to the first botnet’s 40,000, said Kaspersky Lab’s Marco Preuss.

A quarter of the new Kelihos bots were located in Poland and 10% were in the US. The high concentration of bots in Poland suggests that the cybercriminal gang behind Kelihos paid other botnet operators to have their malware distributed on computers from a country with cheaper pay-per-install prices, Werner said.

The vast majority of Kelihos-infected computers — over 90,000 — run Windows XP. Around 10,000 run Windows 7 and 5,000 run Windows 7 with Service Pack 1.

Expect new Kelihos variant

Werner said that Microsoft was not involved in the new takedown operation, but was informed about it. During the September 2011 operation, the company’s role was to disable the domain names the Kelihos gang could have used to take back control of the botnet.

However, this type of action was no longer necessary, because this fallback communication channel is only used by the Kelihos bots if the primary peer-to-peer-based channel is disrupted, which doesn’t happen with sinkholing, Werner said.

Kaspersky will notify internet service providers about the Internet Protocol addresses on their networks that display Kelihos activity, so that they can contact the subscribers who own the infected machines. The sinkhole will be kept operational for as long as it is necessary, Preuss said.

Various signs suggest that the Kelihos gang gave up on the botnet soon after it was sinkholed. However, given that this was their fifth botnet — including the Storm and Waledac variants — they’re unlikely to give up and will most likely create a new one, Werner said.

Article source:

View full post on National Cyber Security » Computer Hacking

Security Researchers Take Down ‘Kelihos Botnet’

Security researchers from four different organizations brought down a botnet by turning a supposed strength of the criminals’ spamming network into a fatal weakness. Experts from CrowdStrike, Dell SecureWorks, the Honeynet Project and Kaspersky Lab crippled the second-coming of the Kelihos botnet on March 21 by “sinkholing” about 118,000 bot-infected computers using the hackers’ own peer-to-peer network.



Article source:

View full post on National Cyber Security

Kelihos botnet dead but malware evolved, say Microsoft and Kaspersky

Microsoft insist the Kelihos botnet is dead despite reports last week suggesting otherwise; but the company acknowledged that a new botnet is being assembled using a variant of the original malware.

The reappearance of a Kelihos-like army of hijacked computers shows just how difficult it is to eradicate a botnet, security experts said yesterday.

“It’s not possible in most cases,” said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. “What you’re going for is disruption more than anything.”

Liam O Murchu, manager of operations at Symantec’s security response team, agreed and said that there was only one way to insure a botnet’s death.

“If you get to the people behind it through arrests and convictions, that will be the most successful,” said O Murchu. “But international borders and the lack of cross-country cooperation makes that a difficult road to go down.”

New Kelihos malware

Kelihos was taken offline last September when Microsoft, using a federal court order, led efforts to shut down domains used by the command-and-control (CC), severing links between the compromised computers and their order-giving master. Microsoft identified the alleged botmaster as a Russian programmer, Andrey Sabelnikov, in an amended complaint last week.

Sabelnikov, who worked for a pair of security companies from 2005 to late 2011, has proclaimed his innocence .

Talk of a Kelihos resurrection was sparked last week by Kaspersky, which said it had found signs of new malware built on the Kelihos code. The implication was that Kelihos had returned from the dead and was again spamming users.

Not so, said Richard Boscovich, a senior attorney in Microsoft’s Microsoft digital crimes unit.

“Kaspersky has reported no loss of control of the Kelihos peer-to-peer operations and Microsoft researchers have confirmed this week that the original Kelihos CC and backup infrastructure remains down, but it appears a new botnet infrastructure may be being built with the new variant of Kelihos malware,” Boscovich said at the start of the year .

Kaspersky confirmed that yesterday.

Disruptive strategies

“The botnet we took down is still under control and infected machines are not receiving commands from the CC centre, so they are not sending spam,” said Alex Gostev, chief security expert at Kaspersky. “But new samples which are monitored by us continue to get orders from spammers and send spam so far. It means that we are dealing with another botnet.”

The appearance of that new botnet illustrates the difficulty researchers, software vendors and authorities have in exterminating a botnet, something that Boscovich, who cited several takedown successes, acknowledged.

“Taking down a single threat has never been Microsoft’s ultimate goal in our fight against botnets,” said Boscovich. “Rather, we hope to transform the fight against cybercrime by developing, testing and advancing impactful and disruptive strategies. This is a long-term effort.”

New botnets based on old-and-offline predecessors are not unusual: As Boscovich noted, the original Kelihos was probably developed using code for Waledac, a botnet that Microsoft and others brought down two years ago.

“We don’t see who is behind each botnet, what we see is an evolution,” said O Murchu. “A botnet brought down in some way may disappear for some months, but then reappear. In many cases, it’s unclear if it’s the same group or they sold their code to others to modify.”

Waledac and Koobface

The struggle to eliminate a botnet has analogies in the non-digital world, said Schouwenberg. “It’s like a big drug arrest where hundreds of kilos of cocaine are seized,” he said. “It’s damaging to the criminals, but it doesn’t put them out of business.”

The ideal solution is to find, arrest and prosecute botnet makers and operators, both Schouwenberg and O Murchu said. But that’s not easy.

“It’s a frustrating task,” said O Murchu. “Researchers often know who is behind a botnet, but to get action taken can take an incredibly long time. That’s incredibly frustrating.”

Schouwenberg and O Murchu each cited as an example the claim last month that several Russian hackers were responsible for the Koobface botnet. The five men identified by security experts as the brains behind the botnet have yet to be arrested or charged.

But the experts believed that takedowns are worthwhile, even if those efforts aren’t completely effective.

“If the fear of being caught isn’t applicable, then the best thing we can do is hit the ‘reset’ button for the bad guys, and make them start over with a new botnet,” said Schouwenberg.

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Kelihos botnet cranks back up after Microsoft attack

A botnet that was crippled by Microsoft and Kaspersky Lab last September is spamming once again and experts have no recourse to stop it.

The Kelihos botnet only infected 45,000 or so computers but managed to send out nearly 4 billion spam messages a day, promoting, among other things, pornography, illegal pharmaceuticals and stock scams.

But it was temporarily corralled last September after researchers used various technical means to get the 45,000 or so infected computers to communicate with a “sinkhole,” or a computer they controlled.

But the computers that comprised Kelihos were still infected with its code. Researchers knew that it would only be a matter of time before its controller used the botnet’s complex infrastructure of proxy servers and communication nodes to regain control.

In fact, it happened shortly after the researchers intervened. Sinkholing the botnet was only a temporary solution.

“We could have issued an update to those machines to clean them up, but in several countries that would be illegal,” said Ram Herkanaidu, security researcher and education manager for Kaspersky Lab.

Meddling with another person’s computer could be considered a form of hacking, even with the best intentions of security researchers. Unfortunately, it appears that many of the machines infected with Kelihos are now controlled by the bad guys again.

There are also other new variants of Kelihos that are using updated forms of encryption to mask the communication with the botnet controllers, Herkanaidu said. Maria Garnaeva, a researcher with Kaspersky Lab, wrote that two different RSA keys are being used for encryption, which means it is possible two different groups are controlling Kelihos.

The resurrection of Kelihos comes as Microsoft last week named a Russian man it believes is responsible for the botnet. The man, Andrey Sabelnikov of St. Petersburg, freelanced for a software development company and formerly worked as a software engineer for a computer security software company.

After his name was widely published in media reports, Sabelnikov denied he was responsible and told the BBC, “I will prove my innocence.”

Even if Sabelnikov is eventually criminally charged by US prosecutors, Russia’s constitution prohibits extradition of its own citizens.

Microsoft said it is working with Kaspersky on studying the latest Kelihos developments. The company remains committed to following its botnet cases and intends to hold those responsible accountable for their actions, said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit.

Article source:

View full post on National Cyber Security » Computer Hacking

Accused Kelihos botmaster Andrey Sabelnikov claims innocence

Andrey Sabelnikov, the Russian man accused by Microsoft of creating and operating the Kelihos spam botnet, proclaimed his innocence last week.

Microsoft said that Sabelnikov, a programmer who lives in St Petersburg “created, operated and controlled the Kelihos botnet,” which at its peak comprised an estimated 45,000 compromised Windows PCs. Those systems were used to transmit up to 4 billion spam emails daily, Microsoft has alleged.

Last week, Microsoft added Sabelnikov to the list of defendants in a lawsuit first filed in September 2011, when it used a court order to take down Kelihos by commandeering its command-and-control (CC) servers. Microsoft said its analysis showed evidence in the malware code of Sabelnikov’s participation.

Sabelnikov begged to differ.

No extradition treaty

“I did not commit this crime, have never participated in the management of botnets and any other similar programs, and especially have not extracted from it any benefit,” he wrote in a blog on Friday (in Russian, with Google Translate version here).

Over the weekend, Sabelnikov contacted the BBC, which first reported his claims of innocence.

In his blog, Sabelnikov also said that he had returned to Russia from the United States, where he had been on business, when he learned of the charges levelled by Microsoft.

Russian law bans extradition of its citizens to face trial in other countries.

Sabelnikov worked for a pair of security firms, Agnitum and Returnil, from 2005 through late 2011, resigning from the latter on December 21, 2011, according to that company.

Returnil said it was “extremely disappointed and angered that someone who was a member of our team could be implicated in this type of activity.”


Other security researchers have said that it was possible that Sabelnikov obtained the source code to another bot Trojan — dubbed “Waledac” — during his work at his former employers, or through his own probing of hacker forums. Kelihos, some experts believe, shares characteristics with Waledac.

“I want to emphasise that I do not have any relation to the activities of Kelihos and spam,” Sabelnikov said. “Unfortunately, an avalanche of press coverage, indicating false facts and distorting reality, have unwittingly caused the companies where I have worked and now work a huge moral hazard and an impact on their business reputation.”

Sabelnikov has not replied to requests for comment sent to his Skype account. Microsoft did not immediately react to a request for comment on Sabelnikov’s assertion that he is innocent.

Sabelnikov has until the middle of February to answer Microsoft’s charges, or face a default judgment, according to court documents.

Article source:

View full post on National Cyber Security » Computer Hacking

Accused Kelihos malware mastermind protests his innocence

A Russian man who has been accused by Microsoft of being the mastermind behind the Kelihos botnet has used his LiveJournal blog to protest his innocence.Accused Kelihos malware mastermind protests his innocence, Blog, malware, accused, Kelihos, mastermind, protests, innocence

View full post on Naked Security — Sophos

View full post on National Cyber Security

Microsoft accuses Russian of masterminding Kelihos botnet

Microsoft’s determined campaign against the Kelihos botnet has seen the company file a lawsuit against the Russian man it now believes to be responsible for its operations.

In a filing to a Virginia court, Microsoft alleges that Andrey N. Sabelnikov from St. Petersburg contributed code for the malware that set up the bot, registering 3,700 Czech .cz subdomains to aid its operation.

The company’s campaign against Kelihos dates back to last September when it launched a similar court action against a Czech-based domain provider the dotFREE Group and its owner Dominique Piatti, accused of hosting the domains that made Kelihos possible. Both were later exonerated after they agreed to aid Microsoft’s Kelihos investigation.

The company also named “John Does 1-22” as being involved in Kelihos, one of whom must have included Sabelnikov himself.

Kelihos was always a pretty modest botnet – the number of infected hosts is not thought to have gone above 45,000 – but Microsoft sees disrupting every botnet using legal means as strategically important.

“Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos’ operators accountable for their actions,” the company said in a new blog post on the case.

“We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity.”

The case bears a superficial resemblance to last week’s naming of the Russians alleged by Facebook and other security companies to have been involved in the Koobface worm that assaulted users of various social networks between 2008 and 2010.

Critics in the security industry have voiced reservations about this ‘naming and shaming’ approach, worrying that it could compromise a possible future legal case against suspects.

The major difference is that Microsoft’s approach is always to pursue suspects using civil actions through the courts during which supporting evidence must be examined by a judge. This approach has proved successful, closing down the operations of major botnets such as Rustock and Waledec.

More recently, the company quietly announced that it would give CERTS, ISPs and police access to its botnet monitoring system through an API.

Article source:

View full post on National Cyber Security » Computer Hacking

Microsoft fails to credit Kaspersky Lab for Kelihos botnet takedown

Microsoft grabbed headlines this week with its report about the successful takedown of the Kelihos botnet, but while the company detailed the achievements of its Digital Crimes Unit, it failed to mention the major role security firm Kaspersky Lab played in the operation.

Microsoft’s Kelihos takedown announcement centred on the fact that its specialised team of lawyers succeeded in naming defendants in a botnet-related federal court complaint for the first time. Such cases usually involve unknown parties.

The named defendants were Alexander Piatti and his company dotFREE Group SRO, which operated a second level domain registration service in the name space. This service was abused by the botnet’s operators to set up hosts for their control infrastructure. A temporary restraining order was obtained by the Digital Crimes Unit in the US District Court for the Eastern District of Virginia, forcing VeriSign to suspend the domain.

Microsoft did not disclose any technical details about how Kelihos was hijacked from its original operators, because Kaspersky Lab handled that part of the operation. The security company’s experts explained in a lengthy blog post how they took control of the botnet, but they probably didn’t appreciate being left out of the story in the first place.

“Hey @msftmmpc [Microsoft Malware Protection Center] why didn’t u mention all truth about Hlux/Kelihos botnet taking down?” wrote Dmitry Bestuzhev, head of Kaspersky Lab’s global research and analysis team for Latin America.

“Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure,” said Tillmann Werner, a senior virus analyst with Kaspersky in Germany. “We worked closely with Microsoft’s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system,” he added.

Even the antivirus vendor’s co-founder and CEO, Eugene Kaspersky, got the message: “The flipside of the Microsoft’s takedown of Kelihos (Hlux) botnet.”

Kaspersky Lab currently operates the only server where computers infected with this malware connect to, which effectively puts it in control of the botnet. The company has the resources to keep this so-called sinkhole operational for a long time, but the end goal is to reduce Kelihos’ size as much as possible.

Sending commands to clean the infected systems remotely would be illegal in most countries, so this won’t be an easy task. Microsoft has added detection for the Kelihos malware family to its Malicious Software Removal Tool (MSRT), which is distributed to computers worldwide via Windows Update, but the effects have yet to show.

The software giant claims that not crediting Kaspersky Lab in its original announcement was the result of poor communication between the two companies. “Due to an unfortunate miscommunication between Microsoft and Kaspersky prior to the announcement, Microsoft was operating under the belief that it was Kaspersky’s desire to not be proactively mentioned in the announcement, as some partners commonly request and which we understand and respect given the sensitivity of these situations,” said Richard Boscovich, a senior attorney with the Microsoft Digital Crimes Unit.

“However, we were very glad to see Kaspersky subsequently come forward with their role in the operation, because we very much want to give them the credit they deserve. Their research and unique, in-depth insight into the botnet was invaluable in this case and we are grateful for their support and determination to make the Internet safer for everyone,” he added.

Article source:

View full post on National Cyber Security » Computer Hacking

My Twitter

  • RT @GregoryDEvans: How To Reveal The Password Hidden Behind Asterisks
    about 39 mins ago
  • RT @GregoryDEvans: #galaxylife #samsung4life Network Security Company ForeScout Interviews Banks for IPO
    about 2 hours ago
  • RT @GregoryDEvans: Cybersecurity Short Sellers Get More Selective
    about 4 hours ago
  • RT @GregoryDEvans: Cybersecurity Short Sellers Get More Selective
    about 5 hours ago
  • Cyber Security News Today is out! @gregorydevans #hacker
    about 8 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans