Long life to Kelihos!

From Botnets.fr
Revision as of 15:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Long life to Kelihos!
Botnet Kelihos
Malware Hlux_(bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 2012-02-17
Editor/Conference Websense
Link http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx (Archive copy)
Author Gianluca Giuliani


During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.

We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR883,
   editor = {Websense},
   author = {Gianluca Giuliani},
   title = {Long life to Kelihos!},
   date = {17},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx}},