Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update
(Publication) Google search: [1]
| Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update | |
|---|---|
| Botnet | Nap, Kelihos, Hlux |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / 2013-02-10 |
| Editor/Conference | DeepEnd Research |
| Link | http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html (Archive copy) |
| Author | Mila Parkour |
| Type | Blogpost |
Abstract
“ FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1298,
editor = {DeepEnd Research},
author = {Mila Parkour},
title = {Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update},
date = {10},
month = Feb,
year = {2013},
howpublished = {\url{http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html}},
}