Kelihos Update Includes New TLD and USB Infection Capabilities

There’s a little Michael Myers in the Kelihos botnet; maim it, kill it and it keeps on coming back to wreak more havoc. The 2011 takedown of the Kelihos botnet was one of Microsoft’s high-profile success stories against spambots and the like, yet Kelihos was back for more at the start of 2012 using dynamic fast-flux techniques to avoid detection and further shutdowns.

As 2012 winds down, Kelihos is still going strong, now relying on double fast-flux domains to spread spam and malware. According to an analysis from a researcher at abuse.ch, Kelihos has also switched top-level domains, moving to .ru from .eu. More insidious, however, is that it now has the ability to spread via removable drives such as USB storage devices.

Once this latest update of Kelihos infects a computer, it connects with a .ru domain hosting its command and control looking for updates. The .ru domain is double fast-flux hosted, the researcher, who preferred to not be identified, said. Once an updated version of Kelihos is sent to the infected machine, it will infect any removable drives attached to the computer by exploiting the same vulnerability as Stuxnet. CVE-2010-2568 is a Windows Shell vulnerability that would give an attacker remote access via a malicious .LNK or .PIF shortcut file that is not properly handled by Windows Explorer during icon display. Malware exploiting this vulnerability and CVE-2010-2772 in Siemens WinCC SCADA systems was found in July 2010.

The switch to .ru domains happened during the summer, according to the report, and the attackers have a lengthy list of sites from which to send new binaries updating the botnet, all of which are registered to REGGI-RU, a registrar in Russia. The botnet operators, however, are using a registrar in the Bahamas to register the name server domains providing DNS resolution to the Russian domains hosting malware, the site said.

“Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure,” the researcher said. “By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.”

Kelihos boasts up to 150,000 spambots per day, the same level of activity as the Cutwail botnet, which was recently discovered to be spamming out the Gameover variant of the Zeus Trojan.

Kelihos remains a prime example of how difficult it is to permanently disable and shut down a botnet that is this profitable. After September’s takedown, in which Microsoft and researchers from Kaspersky Labs sinkholed the botnet’s command and control, Kelihos was back in business by January. Kaspersky researcher Tillmann Werner said the initial takedown would only be a temporary solution because for legal reasons the security companies could not push an update to the botnet that would disable it. Instead, the peer in the network that was sinkholed was no longer the dominant one, and others eventually began communicating with the compromised machines.