Kelihos Botnet Relies on CBL Blacklists for its Personal Ends

According to security firm Zscaler, Kelihos, the infamous peer-to-peer (P2P) botnet, is utilizing legal and freely accessible security services which are used to handle composite blocking lists (CBLs) for its own ends.

By controlling these CBLs, Kelihos can find out whether a potential object has been signed as a spam source or as a proxy.

Itweb.co.za published a report on 29th August, 2013 quoting Chris Mannon, a Security Researcher with Zscaler, as saying that the botnet tries to classify its potential prey by using legal services to collect intelligence. In this case, the malevolent file actually queried the IP address of the victim on SpamHaus, Mail-Abuse, Barracuda Networks, Sophos and these services mainly exist to inform users of abuse witnessed on the website or IP address."

Kelihos is employing it to establish whether the new victim is already seen as nasty or not.

Mannon says that this menace makes no effort to conceal exactly how noisy this network activity is. We observed a rise in TCP (Transmission Control Protocol) traffic across a dissimilar 563 IP (Internet Protocol) addresses within two minutes and network administrators should take extra care in watching users with irregular levels of traffic. A sole node giving off so much traffic to dissimilar services in such a minute window indicates that an end consumer is tainted."

Kelihos' tactic of peer-to-peer communication rather than a centralized and control servers also contributes to it's staying in power. Peer-to-peer botnets are difficult to shut down and finding favor not only with spam botnets but also with criminal gangs involved in fiscal fraud, identity theft or DoS (denial-of-service) attacks. A P2P botnet is flexible not only against law enforcement but also with security analysts who want to specify these networks of compromised computers or disrupt their services.

Threatpost.com publishes a report on 28th August, 2013 stating that in early August of 2013, researchers at the malware Must Die blogged mentioning many infrastructural changes with Kelihos particularly switching over its DNS from .RU to .com top level domains and identified a dozen.com domains and hundreds more .ru sites, which were removed from the Internet.

» SPAMfighter News - 9/6/2013