Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update
Botnet Nap, Kelihos, Hlux
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-02-10
Editor/Conference DeepEnd Research
Link http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html (Archive copy)
Author Mila Parkour
Type Blogpost

Abstract

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Bibtex

 @misc{Parkour2013BFR1298,
   editor = {DeepEnd Research},
   author = {Mila Parkour},
   title = {Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update},
   date = {10},
   month = Feb,
   year = {2013},
   howpublished = {\url{http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html}},
 }