Kelihos is dead. Long live Kelihos

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Kelihos is dead. Long live Kelihos
Botnet Kelihos
Malware Kelihos.A, Kelihos.B, Kelihos.C
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group Operation b79
Vulnerability
CCProtocol P2P, DGA
Date 2012 / 30-03-2012
Editor/Conference Damballa
Link http://blog.damballa.com/?p=1571 blog.damballa.com (blog.damballa.com Archive copy)
Author Gunter Ollmann
Type

Abstract

The King is dead. Long live the King! Or, given this week’s events, should the phrase now be “Kelihos is dead. Long live Kelihos”?

It is with a little amusement and a lot of cynicism that I’ve been watching the kerfuffle relating to the latest attempt to take down the Kelihos botnet. You may remember that a similar event (“Kelihos is dead”) occurred late last year after Microsoft and Kaspersky took it on themselves to shut down the botnet known as Kelihos (or sometimes as Waledac 2.0 or Hlux). Now, like a poor sequel to a TV docu-drama, Kaspersky and a number of other security vendors have attempted to slap down control of Kelihos Season Two – meanwhile Season Three of Kelihos has just begun to air.

In the most recent attempt to interrupt the business operations of the criminal entity behind the Kelihos botnet, a bunch of threat researchers have managed to usurp command and control (C&C) of the Kelihos.B crimeware package by poisoning the peer-to-peer (P2P) relationships between all of the infected devices and install a surrogate control server. It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually takedown the botnet.

Bibtex

 @misc{Ollmann2012BFR965,
   editor = {Damballa},
   author = {Gunter Ollmann},
   title = {Kelihos is dead. Long live Kelihos},
   date = {30},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://blog.damballa.com/?p=1571 blog.damballa.com}},
 }