Long life to Kelihos!
(Publication) Google search: [1]
Long life to Kelihos! | |
---|---|
Botnet | Kelihos |
Malware | Hlux_(bot) |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-02-17 |
Editor/Conference | Websense |
Link | http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx (Archive copy) |
Author | Gianluca Giuliani |
Type |
Abstract
“ During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.
We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR883, editor = {Websense}, author = {Gianluca Giuliani}, title = {Long life to Kelihos!}, date = {17}, month = Feb, year = {2012}, howpublished = {\url{http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx}}, }