Kelihos, the notorious peer-to-peer (P2P) botnet, is employing legitimate and freely available security services used to manage composite blocking lists (CBLs) for its own ends.
By leveraging these lists, Kelihos can see if a potential target has been flagged as a spam source or as a proxy.
In a Zscaler blog, security researcher Chris Mannon said the botnet attempts to categorise its potential victim by using legitimate services to gather intelligence.
"In this instance, the malicious file actually queried the victim's IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos. These services primarily exist to notify users of abuse seen on the site or IP address."
Mannon added that Kelihos is using it to determine if the new target has already been flagged as malicious or not. If the victim hasn't been listed in the CBLs, they can still be used as either a proxy C&C or spam-bot.
He added that this latest threat makes no attempt to hide exactly how loud it is regarding network activity. "We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes."
Mannon advised network administrators to take extra precaution when monitoring users with unusual traffic levels. "A single node giving off so much traffic to different services in such a small window could be used to identify potential victims."
According to Threatpost, Kelihos' use of P2P communication rather than centralised command and control servers has added to its longevity. A P2P botnet's individual nodes are capable of acting as command-and-control servers for the entire botnet.
P2P botnets are trickier to take down and are a favourite with spam bots and cyber criminals involved in financial fraud, identity theft or denial-of-service attacks.
Share