Kelihos: not alien resurrection, more attack of the clones
(Publication) Google search: [1]
Kelihos: not alien resurrection, more attack of the clones | |
---|---|
Botnet | Kelihos, Waledac, Nuwar, Storm |
Malware | Stuxnet |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / March 12, 2012 |
Editor/Conference | ESET |
Link | http://blog.eset.com/2012/03/10/kelihos-not-alien-resurrection-more-attack-of-the-clones blog.eset.com (blog.eset.com Archive copy) |
Author | David Harley |
Type |
Abstract
“ Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos). The article is based on the abuse.ch analysis of a particular sample. The analysis is interesting and well executed, but the reappearance of Kelihos isn’t exactly hot off the press: there were several reports to that effect over a month ago, and some of those reports suggested that the new version appeared almost as soon as Microsoft’s takedown was publicized.
While Nuwar/Storm and Waledac are programmatically different, ESET researchers believe that they’re linked by a common operation, though we wouldn’t describe them as the same malware family so persistence (in a non-technical sense) is not unexpected from this gang. What’s more, use of fast flux, while not generally common among botnets nowadays, is common to all three of these malware families.
The significance of the switch to .eu noted by the Swiss security blog is probably only that the .cc TLD is mostly used by malware (and so blocked by default by some AV companies). Back in summer 2011 Google actually blocked .cz.cc en bloc. The company may or may not have intended to block with quite that wide a range, but activity by Kelihos (among others) would have contributed to that reaction. The .eu TLD has a much higher proportion of legitimate users, and is less likely to be blocked generically.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR934, editor = {ESET}, author = {David Harley}, title = {Kelihos: not alien resurrection, more attack of the clones}, date = {12}, month = Mar, year = {2012}, howpublished = {\url{http://blog.eset.com/2012/03/10/kelihos-not-alien-resurrection-more-attack-of-the-clones blog.eset.com}}, }