Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update

Jump to navigation Jump to search

(Publication) Google search: [1]

Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update
Botnet Nap, Kelihos, Hlux
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2013 / 2013-02-10
Editor/Conference DeepEnd Research
Link (Archive copy)
Author Mila Parkour
Type Blogpost


FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6], ns[1-6], and ns[1-6] which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1298,
   editor = {DeepEnd Research},
   author = {Mila Parkour},
   title = {Trojan Nap aka Kelihos/Hlux - Feb. 2013 status update},
   date = {10},
   month = Feb,
   year = {2013},
   howpublished = {\url{}},