Kelihos Botnet Had Around 60K Bots When It Was Taken Down (Fourth Time's a Charm)

[CrAKeN]

 

The Kelihos botnet is no more. Or at least that's what authorities hope happens, after attempting to bring it down three times in the past, but to no avail.

 

This time around, the takedown attempt has more chances of succeeding because authorities arrested Kelihos' main maintainer, a Russian national known as Pyotr Levashov, or Peter Severa.

 

The arrest took place last week, on Friday, in Barcelona, Spain, and initially, because little information was available, Levashov's wife claimed in an RT interview her husband was arrested for hacks related to the US Presidential Election.

 

Those reports proved to be grossly inaccurate, and the US Department of Justice cleared the air on Monday, when it released Levashov's indictment, accusing the suspect of being the driving force behind the Kelihos botnet.

 

Kelihos was a spamming behemoth

Right from the get-go, the Kelihos botnet was a force to be reckoned with. The botnet first appeared on the scene in 2008, under the name Waledac, and morphed into the Kelihos botnet we know today in 2010.

 

During its long history, the botnet had multiple faces and was used for all sorts of cybercrime operations, ranging from cryptocurrency mining to the delivery of banking trojans, and from mundane spamming to ransomware deployment.

 

Of all these, it was Kelihos' spam operation that got everyone's attention, garnering the botnet a place on Spamhaus' Top 10 Spammer list. In court documents, US authorities said Levashov was renting the botnet's spamming capabilities for prices from $100 to $300.

 

First three takedown attempts proved unsuccessful

Known to be able to push millions of spam messages per hour, the Kelihos botnet has been the target of three takedown attempts in consecutive years, in 2011, 2012, and 2013.

 

All failed and Kelihos lived on, mainly due to its internal structure, being one of those botnets that uses a custom peer-to-peer (P2P) protocol and several backup DNS domains to ensure that the botnet author can insert new C&C servers into a decapitated network at any time and regain control of his bots.

 

All the previous takedowns did nothing but bleed off a few thousand bots from Kelihos' main body, until its author re-inserted new C&C domains into the system.

 

Fourth takedown has better chances

This time around, US authorities, with help from the Shadowserver Foundation and CrowdStrike, hope this fourth takedown attempt works better.

 

If Levashov doesn't have an apt and equally talented partner, there won't be anyone that can insert new C&C servers into Kelihos' current infrastructure.

 

According to the Shadowserver Foundation, during the past week, since the Kelihos takedown started, over 60,000 bots reported to the fake (sinkholed) Kelihos C&C servers authorities put in place. The vast majority of these bots (infected computers) were located in Egypt and China (over 10,000 each).

 

If no new C&C servers pop up on the Kelihos network, traffic will keep flowing to these sinkholed servers until all Kelihos bots disappear, as users clean their computers.

 

First time when authorities used Rule 41

US authorities, who orchestrated this mammoth takedown, said they used new legislation for the first time, specifically created to aid with botnet takedowns.

 

A warrant obtained based on amendments to Rule 41 of the Federal Rules of Criminal Procedure, will allow authorities to track down victims of this botnet, and pass down their IPs to national CERT teams. These local cyber-security agencies will be in charge of contacting victims and helping them clean their computers.

 

The Rule 41 amendments were approved last year, and could allow officials to hack into Kelihos-infected PCs. DoJ officials were very careful to specify in their search warrant that investigators were allowed only to collect the victims' IP addresses and routing information, and nothing more.

 

"This warrant only authorizes seizure of IP addresses and routing information from target computers. No content may be captured or seized. No action is to be taken that blocks a target computer from access to the Internet," the search warrant says.

 

Source