Kelihos back in town using Fast Flux

From Botnets.fr
Revision as of 15:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Kelihos back in town using Fast Flux
Kelihos back intown.png
Botnet Kelihos, Waledac
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol P2P
Date 2012 / March 4, 2012
Editor/Conference abuse.ch
Link http://www.abuse.ch/?p=3658 abuse.ch (abuse.ch Archive copy)
Author
Type

Abstract

In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.

      • The Kelihos Spambot ***

Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:

As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary: [...] Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR910,
   editor = {abuse.ch},
   author = {},
   title = {Kelihos back in town using Fast Flux},
   date = {04},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://www.abuse.ch/?p=3658 abuse.ch}},
 }