Subscribe

A cunning twist for Kelihos

Kelihos can now see if a potential target has been flagged as a spam source or as a proxy, says Zscaler.

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 29 Aug 2013
Researchers advise network administrators to take extra precaution when monitoring users with unusual traffic levels.
Researchers advise network administrators to take extra precaution when monitoring users with unusual traffic levels.

Kelihos, the notorious peer-to-peer (P2P) botnet, is employing legitimate and freely available security services used to manage composite blocking lists (CBLs) for its own ends.

By leveraging these lists, Kelihos can see if a potential target has been flagged as a spam source or as a proxy.

In a Zscaler blog, security researcher Chris Mannon said the botnet attempts to categorise its potential victim by using legitimate services to gather intelligence.

"In this instance, the malicious file actually queried the victim's IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos. These services primarily exist to notify users of abuse seen on the site or IP address."

Mannon added that Kelihos is using it to determine if the new target has already been flagged as malicious or not. If the victim hasn't been listed in the CBLs, they can still be used as either a proxy C&C or spam-bot.

He added that this latest threat makes no attempt to hide exactly how loud it is regarding network activity. "We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes."

A brief history of Kelihos

The Kelihos botnet was first discovered in December 2010, and was originally suspected to have been a new version of either the Storm or Waledac botnet, due to similarities in source code, and the way they worked.
Analysis revealed, however, that it was a new botnet, of 45 000 infected machines, capable of sending around four billion spam messages a day. Kelihos A was disabled in September 2011.
Within a few weeks, Kelihos B reared its head, this time, having infected 120 000 machines. It was taken down in February 2012, but popped up a mere 20 minutes later.
Version C had some significant changes, posing a huge problem for security researchers. However, it was publicly taken down during RSA 2013 by a CrowdStrike researcher who managed to sinkhole thousands of bots before the audience.

Mannon advised network administrators to take extra precaution when monitoring users with unusual traffic levels. "A single node giving off so much traffic to different services in such a small window could be used to identify potential victims."

According to Threatpost, Kelihos' use of P2P communication rather than centralised command and control servers has added to its longevity. A P2P botnet's individual nodes are capable of acting as command-and-control servers for the entire botnet.

P2P botnets are trickier to take down and are a favourite with spam bots and cyber criminals involved in financial fraud, identity theft or denial-of-service attacks.

Share