The alleged mastermind behind Kelihos botnet, Peter Yuryevich Levashov, has been recently arrested by the United States Justice Department from Barcelona, Spain. This Russian man is considered as “one of the world's most notorious criminal spammers”.
His wife Maria said, “The arrest was connected to the FBI's ongoing investigation into potential Russian interference in the 2016 presidential elections,” in a report by ABC News. However, this claim does not hold water and experts have suggested that his primary “motivation wasn’t politics.”
Seen as a cyber-criminal kingpin, his creation--Kelihos Botnet-- is a global network of infected computers involving in spams. Here is everything you need to know about it. Also read: Man Tricks Two Big US Tech Companies Into $100 Million Phishing ScamWhat is the Kelihos botnet?
Kelihos/Waledac has been active since 2008, highlights cyber security firm Symantec. Its main area of activity has been spamming operations, but it has also been involved in a range of other malicious activity such as downloading and running executables, acting as a network proxy, collecting credentials from compromised computers, and performing denial of service (DoS) attacks. How Kelihos botnet works?
Kelihos malware targeted computers running the Microsoft Windows operating system. Infected computers became part of a network of compromised computers known as a botnet and were controlled remotely through a decentralized command and control system.
This network of infected computers under the control of a cybercriminal was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software.
“…an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks,” added Blanco. Also read: Manipal University to Offer Cyber Security Post-Graduation Course What role did Peter Yuryevich Levashov play?
According to the civil complaint, Levashov allegedly operated the Kelihos botnet since approximately 2010. The Kelihos malware harvested user credentials by searching infected computers for usernames and passwords and by intercepting network traffic.
Levashov allegedly used the information gained from this credential harvesting operation to further his illegal spamming operation which he advertised on various online criminal forums. What is the payload?
The Kelihos botnet generated and distributed enormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price (so-called “pump-and-dump” stock fraud schemes), work-at-home scams, and other frauds.
It Kelihos was also responsible for directly installing additional malware onto victims’ computers, including ransomware and malware that intercepts users’ bank account passwords.
As with other botnets, Kelihos is designed to operate automatically and undetected on victims’ computers, with the malicious code secretly sending requests for instructions to the botnet operator. Also read: Google, Jigsaw to Offer Cyber Security to Election Groups How was Kelihos successfully disrupted?
In order to liberate the victim computers from the botnet, the United States obtained civil and criminal court orders in the District of Alaska. These orders authorised measures to neutralise the Kelihos botnet by: 1) Establishing substitute servers that receive the automated requests for instructions so that infected computers no longer communicate with the criminal operator. 2) Blocking any commands sent from the criminal operator attempting to regain control of the infected computers.
“On April 8, 2017, we started the extraordinary task of blocking malicious domains associated with the Khelios botnet to prohibit further infections,” said FBI Special Agent in Charge Ritzman.
In seeking authorisation to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure.
The warrant obtained by the government authorises law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server.
This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers. Also read: Increased Budgets Not Enough to Meet Cyber Security Needs, Finds EY Survey Is it Kelihos botnet really down?
On several occasions, the botnet has been severely disrupted by takedown attempts but always managed to rebuild itself and return. Its original incarnation was the subject of a Microsoft-led takedown operation in 2010 in which hundreds of command and control (C&C) domains were seized.
The botnet’s controllers rebuilt its operations before it was hit by a second takedown in September 2011. Kelihos once again re-emerged only to be hit by a coordinated sinkholing operation in 2012 in which a significant number of infected computers were freed from the botnet’s control.The team behind:
The efforts to disrupt and dismantle the Kelihos botnet were led by the FBI’s Anchorage Office and New Haven Office; Senior Counsel Ethan Arenson and Harold Chun, and Trial Attorney Frank Lin of the Computer Crime and Intellectual Property Section; and Assistant U.S. Attorneys Yvonne Lamoureux and Adam Alexander of the District of Alaska.
Critical assistance was also provided by foreign partners, and invaluable technical assistance was provided by Crowd Strike and The Shadow server Foundation in executing this operation.
Comments
0 comment