Kelihos: not alien resurrection, more attack of the clones

From Botnets.fr
Revision as of 15:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Kelihos: not alien resurrection, more attack of the clones
Botnet Kelihos, Waledac, Nuwar, Storm
Malware Stuxnet
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / March 12, 2012
Editor/Conference ESET
Link http://blog.eset.com/2012/03/10/kelihos-not-alien-resurrection-more-attack-of-the-clones blog.eset.com (blog.eset.com Archive copy)
Author David Harley
Type

Abstract

Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos). The article is based on the abuse.ch analysis of a particular sample. The analysis is interesting and well executed, but the reappearance of Kelihos isn’t exactly hot off the press: there were several reports to that effect over a month ago, and some of those reports suggested that the new version appeared almost as soon as Microsoft’s takedown was publicized.

While Nuwar/Storm and Waledac are programmatically different, ESET researchers believe that they’re linked by a common operation, though we wouldn’t describe them as the same malware family so persistence (in a non-technical sense) is not unexpected from this gang. What’s more, use of fast flux, while not generally common among botnets nowadays, is common to all three of these malware families.

The significance of the switch to .eu noted by the Swiss security blog is probably only that the .cc TLD is mostly used by malware (and so blocked by default by some AV companies). Back in summer 2011 Google actually blocked .cz.cc en bloc. The company may or may not have intended to block with quite that wide a range, but activity by Kelihos (among others) would have contributed to that reaction. The .eu TLD has a much higher proportion of legitimate users, and is less likely to be blocked generically.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR934,
   editor = {ESET},
   author = {David Harley},
   title = {Kelihos: not alien resurrection, more attack of the clones},
   date = {12},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/03/10/kelihos-not-alien-resurrection-more-attack-of-the-clones blog.eset.com}},
 }