Monthly Archive for December, 2012

A Quick Update On Spambot Kelihos

In March 2012 I blogged about Kelihos, a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012.

Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009. Today I asked myself: What kind of evolution did Kelihos have during this year, so I decided to have a quick look at recent Kelihos binaries and compare their behaviour with the behaviour of the binaries I saw back in March 2012.

Here is a quick overview:


  Kelihos March’ 12 Kelihos December’ 12
Using (double) FastFlux domains to spread Kelihos: Yes Yes
(ab)used TLD for malware distribution: .eu .ru
Sponsoring registrar for nameserver domains: INTERNET.BS INTERNET.BS
Capability to spread via removable drives: No Yes
Using P2P network: Yes Yes

Infecting removable drives
So, what has changed? The first thing that pops up is the fact that Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10 (what a nice date to push an update for Kelihos!).

Once a Kelihos infection binary is executed on the victims computer, it writes a temporary file to C:\WINDOWS\Temp:

C:\WINDOWS\Temp\temp12.exe

The naming schema used by Kelihos seems to be temp[1-9]{2}.exe. This file then tries to get an updated version of Kelihos by calling home to a .ru domain that is double FastFlux hosted. Once the update is done, temp12.exe will start to infect removable drives that are attached to the victims computer, most likely using CVE-2010-2568, which was first used in Stuxnet, and later on copied by various other malware:

Origin process Affected file
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\sony.exe
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\Shortcut to Sony.lnk

Switching from .eu to .ru
Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru:

abaxhad.ru
adnedat.ru
adtesok.ru
aqzepylu.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
bycmolhy.ru
bygotbys.ru
byjlegta.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
cylqiduh.ru
dalwoza.ru
darabub.ru
deafesqy.ru
dehjujuq.ru
dinymak.ru
dohwapih.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fevnotow.ru
fidedhah.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gijevsog.ru
ginnyjyb.ru
golhysux.ru
gubahvi.ru
gywilhof.ru
hahsekju.ru
haponeg.ru
hedybih.ru
heztymut.ru
hitakat.ru
huquqxov.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
irojvuqu.ru
ivkikcop.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jamwazer.ru
jebtelyx.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jymeegom.ru
jytorqu.ru
jyvvozoz.ru
kejejib.ru
kubtyhuz.ru
kuirfufo.ru
kycufvy.ru
leqgugom.ru
lopoqyv.ru
luditla.ru
lufsekim.ru
lupylzum.ru
mabuhos.ru
mosjinme.ru
muhipew.ru
muwosiv.ru
muzupdyg.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ogdowkys.ru
ojpaxlam.ru
oqjogxi.ru
oqlapjim.ru
osmuryf.ru
otgeguuz.ru
otpipug.ru
otxolpow.ru
ovquqaip.ru
pagubev.ru
pawahav.ru
pedugtap.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
pyykxug.ru
qaijroke.ru
qiquzcy.ru
quohdit.ru
racadpuh.ru
rebfelqi.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rizsebym.ru
rujfeag.ru
ruxymqic.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sesuhror.ru
sexjereh.ru
sihemuj.ru
sittanyg.ru
siwebheb.ru
sohaxim.ru
soqvaqo.ru
sukbewli.ru
sutfasof.ru
sutimjy.ru
tahfifak.ru
taixcih.ru
tecviqir.ru
tikoqox.ru
tiwciwux.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uwfekfyj.ru
uwfubpeb.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vijsixem.ru
votqygiq.ru
vunjuet.ru
vuohsub.ru
wapifnuc.ru
warkafoc.ru
wefecfo.ru
wetifjam.ru
wibveces.ru
wyjenqo.ru
xenacoz.ru
xikmonej.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynjaprur.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zaefofin.ru
zidamuk.ru
zupivzed.ru
zuqijcel.ru
zylhomu.ru

As outlined before, these domain names are being used to spread Kelihos. Malware binaries are located at various places like calc.exe and rasta01.exe:

http://*random-domain-from-the-list-above*/calc.exe

http://*random-domain-from-the-list-above*/rasta01.exe

All mentioned domain names are registered through the same Russian based registrar called REGGI-RU:

domain: GYWILHOF.RU
nserver: ns1.biocruc.com.
nserver: ns2.biocruc.com.
nserver: ns3.biocruc.com.
nserver: ns4.systeat.com.
nserver: ns5.systeat.com.
nserver: ns6.systeat.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.01
paid-till: 2013.11.01
free-date: 2013.12.02
source: TCI

… while the domain name itself is using double FastFlux (A record + NS record hosted on a FastFlux botnet):

A records for pevhyvys.ru:
-> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]

Delegated nameservers for pevhyvys.ru:
-> ns2.biocruc.com. -> 114.43.101.84 [114-43-101-84.dynamic.hinet.net.]
-> ns4.systeat.com. -> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]
-> ns6.systeat.com. -> 71.205.242.35 [c-71-205-242-35.hsd1.mi.comcast.net.]
-> ns3.biocruc.com. -> 50.130.45.53 [c-50-130-45-53.hsd1.ms.comcast.net.]
-> ns5.systeat.com. -> 69.132.69.185 [cpe-069-132-069-185.carolina.res.rr.com.]

What surprisingly haven’t changed is the fact that the Kelihos gang is still using INTERNET.BS (a domain name registrar located in the Bahamas) to register domains names of the name servers that are being used to provide DNS resolution to the malicious .ru domains:

Domain Name: BIOCRUC.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.BIOCRUC.COM
Name Server: NS2.BIOCRUC.COM
Name Server: NS3.BIOCRUC.COM
Name Server: NS4.BIOCRUC.COM
Name Server: NS5.BIOCRUC.COM
Name Server: NS6.BIOCRUC.COM
Status: clientTransferProhibited
Updated Date: 14-aug-2012
Creation Date: 15-jul-2012
Expiration Date: 15-jul-2013

The rise of Kelihos
If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day.

But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.

For example:

hXXp://pevhyvys.ru/newavr3.exe

MD5: 19b4bb3dde20da3d6602165a25186a00
File size: 741.0 KB ( 758784 bytes )
File name: newavr3.exe
File type: Win32 EXE
Detection ratio: 1 / 46 (detected by Malwarebytes exclusively at the time of this post)
Reference: Virustotal

So what can a network administrator do to mitigate this threat?

  • Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
  • Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
  • Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
  • Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
  • Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ



economics-recluse
Scene
Urgent!