The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of Bitcoins. Due to its spam activity, Kelihos is also referred to as a spambot. In September 2011 and March 2012, the bot was shut down by sink-holing its Command and Control (CnC) IPs, but after each shutdown a new variation has arisen and replaced the old botnet. Today’s version is Kelihos.c.
The Kelihos.c version mostly infects computers through Facebook by sending users of the website malicious download links. As of today, the active version of the botnet, Kelihos.c, has infected an estimated 70,000 computers.
When the Kelihos botnet was first discovered around December 2010, it was capable of sending an estimated 4 billion spam messages per day. It was shut down in September 2011. In January 2012, a new version of the botnet was discovered. This version was shut down in March 2012, but an updated version surfaced within months. Kelihos.c sends Facebook users malicious download links. Once clicked, a Trojan horse named Fifesoc is downloaded, which turns the computer into part of the botnet.
The Kelihos botnet has peer-to-peer capabilities, where individual botnet nodes are capable of relaying command received from the CnC servers. This way, any node can effectively act as a CnC server for the entire botnet. This makes it more difficult to shut down than a traditional botnet.
The first version of the botnet was mainly involved in denial-of-service attacks and email spam, while version two of the botnet added the ability to steal Bitcoin wallets, as well as a program used to mine Bitcoins itself. The most recent version has the following capabilities:
- The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
- The bot has a built-in Bitcoin wallet theft feature.
- The bot also includes a Bitcoin miner feature.
Back in March 2012, Kelihos used a huge list of different domain names to spread itself. In summer 2012 the Kelihos operators switched from Europe TLD (.eu) to Russian TLD (.ru). All mentioned domain names are registered through the same Russia-based registrar, REGGI-RU.
The domain names themselves use double FastFlux. With this technique, Bots not only flux their IP addresses but also flux the IP addresses of the DNS name servers that serve the IP addresses for the queried FQDNs (fully-qualified-domain-names). This makes it very hard to detect as the IP addresses on both sides are constantly changing.
The following is an example of a trace from one of the random domains used by Kelihos.c. The name servers can be seen hosted on different FastFlux networks. Notice the various randomly distributed IPs used by the name servers; in most networks, the name servers are in one or two IP clusters owned by the same entity and have proper reverse DNS names.
A records for pevhyvys.ru:
22.214.171.124 [c-67-177-139-18.hsd1.mi.comcast.net.] Delegated name servers for pevhyvys.ru: ns2.biocruc.com. -> 126.96.36.199 [114-43-101-84.dynamic.hinet.net.] ns4.systeat.com. -> 188.8.131.52 [c-67-177-139-18.hsd1.mi.comcast.net.] ns6.systeat.com. -> 184.108.40.206 [c-71-205-242-35.hsd1.mi.comcast.net.] ns3.biocruc.com. -> 220.127.116.11 [c-50-130-45-53.hsd1.ms.comcast.net.] ns5.systeat.com. -> 18.104.22.168 [cpe-069-132-069-185.carolina.res.rr.com.]
How existing security defenses are circumvented
Local detection mechanisms such as antivirus software detect only certain known strains of this malware. The malware keeps changing, and it takes time to develop and distribute detection patterns. By the time a new strain is detected, the malware might have mutated again.
Kelihos also has a low detection rate by the majority of antivirus scanners due to the compression and encryption techniques being applied to the newly created backdoor droppers.
Finally, Kelihos’ owners actively update the botnet. It has been shut down twice and both times it has come back in a new form.
How Infoblox can help protect against this attack
ATTACKED AND INFECTED? – DISRUPT COMMUNICATION TO THE INTERNET
Infoblox DNS Firewall is an application run on an Infoblox DNS server. It will disrupt malware communication by not resolving DNS queries for botnets and CnC servers. All resolved DNS queries are compared to a continually updated table of ‘bad’ domains and IP addresses with which communication should not be allowed. Resolved DNS queries to malicious domains and IP addresses are either blocked or redirected.
DNS Firewall Subscription Service updates DNS Firewall servers every 2 hours with updated information on domains and IP addresses (networks) that make up the Kelihos infrastructure.
Additionally, DNS Firewall has integration with the FireEye NX series APT appliances that detects any new Kelihos malware strains and constantly updates the DNS Firewall with new list of domains (or IPs) to be blocked.
If the Infoblox DHCP and Reporting server is installed, network administrators can pinpoint the infected devices by IP and MAC address, device type (DHCP fingerprinting), Host name (if configured) and DCHP lease history (on/off network).
BASICS – AVOIDING INFECTION
Network administrators can also use the following techniques to lessen the chances of a Kelihos infection and reduce the damage if one occurs:
- Patch Windows by running Windows Update to avoid exploitation through vulnerability CVE-2010-2568.
- Always use the latest version of an actively maintained browser.
- Use port security to limit the use of removable drives and prevent Kelihos from spreading through USB sticks.
- Kelihos is using port 80 (HTTP standard port) to communicate with the P2P drones. Restrict outbound connections to port 80 TCP (HTTP) and implement a web proxy with protocol inspection capabilities to prevent non-HTTP and non-HTTPs traffic that tries to go through the proxy.
- Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails.
- Restrict access to domain names identified as FastFlux: domains hosted on highly dynamic IP addresses and/or DNS servers that are hosted on dynamic IP addresses.
- 110,000 PC-strong Kelihos botnet sidelined, by C-net
- xKelihos botnet: What victims can expect, by zscaler
- UPDATE ON KELIHOS BOTNET (AUGUST 2013), by LavaSoft
- A Quick Update on Spambot Kelihos, by abuse.ch
- Microsoft suspects ex-antivirus worker of Kelihos botnet creation, by ITPro
- Second Kelihos botnet downed, 116,000 machines freed, by The Verge
- Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case, by The Official Microsoft Blog
- New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?, by Shadow Server
- Security Companies Take Down Kelihos Botnet of Version 2, by Spamfighter
- “Slain” Kelihos botnet still spams from beyond the grave, by ars technica
- Kelihos botnet cranks back up after Microsoft attack by, by TechWorld