Kelihos back in town using Fast Flux
(Publication) Google search: [1]
| Kelihos back in town using Fast Flux | |
|---|---|
| |
| Botnet | Kelihos, Waledac |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | P2P |
| Date | 2012 / March 4, 2012 |
| Editor/Conference | abuse.ch |
| Link | http://www.abuse.ch/?p=3658 abuse.ch (abuse.ch Archive copy) |
| Author | |
| Type | |
Abstract
“ In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.
Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.
- The Kelihos Spambot ***
Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:
As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary: [...] Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR910,
editor = {abuse.ch},
author = {},
title = {Kelihos back in town using Fast Flux},
date = {04},
month = Mar,
year = {2012},
howpublished = {\url{http://www.abuse.ch/?p=3658 abuse.ch}},
}