Tag Archive for 'Kelihos'

A Quick Update On Spambot Kelihos

In March 2012 I blogged about Kelihos, a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012.

Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009. Today I asked myself: What kind of evolution did Kelihos have during this year, so I decided to have a quick look at recent Kelihos binaries and compare their behaviour with the behaviour of the binaries I saw back in March 2012.

Here is a quick overview:


  Kelihos March’ 12 Kelihos December’ 12
Using (double) FastFlux domains to spread Kelihos: Yes Yes
(ab)used TLD for malware distribution: .eu .ru
Sponsoring registrar for nameserver domains: INTERNET.BS INTERNET.BS
Capability to spread via removable drives: No Yes
Using P2P network: Yes Yes

Infecting removable drives
So, what has changed? The first thing that pops up is the fact that Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10 (what a nice date to push an update for Kelihos!).

Once a Kelihos infection binary is executed on the victims computer, it writes a temporary file to C:\WINDOWS\Temp:

C:\WINDOWS\Temp\temp12.exe

The naming schema used by Kelihos seems to be temp[1-9]{2}.exe. This file then tries to get an updated version of Kelihos by calling home to a .ru domain that is double FastFlux hosted. Once the update is done, temp12.exe will start to infect removable drives that are attached to the victims computer, most likely using CVE-2010-2568, which was first used in Stuxnet, and later on copied by various other malware:

Origin process Affected file
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\sony.exe
C:\WINDOWS\Temp\temp12.exe \Device\SanDisk0\Shortcut to Sony.lnk

Switching from .eu to .ru
Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru:

abaxhad.ru
adnedat.ru
adtesok.ru
aqzepylu.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
bycmolhy.ru
bygotbys.ru
byjlegta.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
cylqiduh.ru
dalwoza.ru
darabub.ru
deafesqy.ru
dehjujuq.ru
dinymak.ru
dohwapih.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fevnotow.ru
fidedhah.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gijevsog.ru
ginnyjyb.ru
golhysux.ru
gubahvi.ru
gywilhof.ru
hahsekju.ru
haponeg.ru
hedybih.ru
heztymut.ru
hitakat.ru
huquqxov.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
irojvuqu.ru
ivkikcop.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jamwazer.ru
jebtelyx.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jymeegom.ru
jytorqu.ru
jyvvozoz.ru
kejejib.ru
kubtyhuz.ru
kuirfufo.ru
kycufvy.ru
leqgugom.ru
lopoqyv.ru
luditla.ru
lufsekim.ru
lupylzum.ru
mabuhos.ru
mosjinme.ru
muhipew.ru
muwosiv.ru
muzupdyg.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ogdowkys.ru
ojpaxlam.ru
oqjogxi.ru
oqlapjim.ru
osmuryf.ru
otgeguuz.ru
otpipug.ru
otxolpow.ru
ovquqaip.ru
pagubev.ru
pawahav.ru
pedugtap.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
pyykxug.ru
qaijroke.ru
qiquzcy.ru
quohdit.ru
racadpuh.ru
rebfelqi.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rizsebym.ru
rujfeag.ru
ruxymqic.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sesuhror.ru
sexjereh.ru
sihemuj.ru
sittanyg.ru
siwebheb.ru
sohaxim.ru
soqvaqo.ru
sukbewli.ru
sutfasof.ru
sutimjy.ru
tahfifak.ru
taixcih.ru
tecviqir.ru
tikoqox.ru
tiwciwux.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uwfekfyj.ru
uwfubpeb.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vijsixem.ru
votqygiq.ru
vunjuet.ru
vuohsub.ru
wapifnuc.ru
warkafoc.ru
wefecfo.ru
wetifjam.ru
wibveces.ru
wyjenqo.ru
xenacoz.ru
xikmonej.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynjaprur.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zaefofin.ru
zidamuk.ru
zupivzed.ru
zuqijcel.ru
zylhomu.ru

As outlined before, these domain names are being used to spread Kelihos. Malware binaries are located at various places like calc.exe and rasta01.exe:

http://*random-domain-from-the-list-above*/calc.exe

http://*random-domain-from-the-list-above*/rasta01.exe

All mentioned domain names are registered through the same Russian based registrar called REGGI-RU:

domain: GYWILHOF.RU
nserver: ns1.biocruc.com.
nserver: ns2.biocruc.com.
nserver: ns3.biocruc.com.
nserver: ns4.systeat.com.
nserver: ns5.systeat.com.
nserver: ns6.systeat.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.01
paid-till: 2013.11.01
free-date: 2013.12.02
source: TCI

… while the domain name itself is using double FastFlux (A record + NS record hosted on a FastFlux botnet):

A records for pevhyvys.ru:
-> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]

Delegated nameservers for pevhyvys.ru:
-> ns2.biocruc.com. -> 114.43.101.84 [114-43-101-84.dynamic.hinet.net.]
-> ns4.systeat.com. -> 67.177.139.18 [c-67-177-139-18.hsd1.mi.comcast.net.]
-> ns6.systeat.com. -> 71.205.242.35 [c-71-205-242-35.hsd1.mi.comcast.net.]
-> ns3.biocruc.com. -> 50.130.45.53 [c-50-130-45-53.hsd1.ms.comcast.net.]
-> ns5.systeat.com. -> 69.132.69.185 [cpe-069-132-069-185.carolina.res.rr.com.]

What surprisingly haven’t changed is the fact that the Kelihos gang is still using INTERNET.BS (a domain name registrar located in the Bahamas) to register domains names of the name servers that are being used to provide DNS resolution to the malicious .ru domains:

Domain Name: BIOCRUC.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.BIOCRUC.COM
Name Server: NS2.BIOCRUC.COM
Name Server: NS3.BIOCRUC.COM
Name Server: NS4.BIOCRUC.COM
Name Server: NS5.BIOCRUC.COM
Name Server: NS6.BIOCRUC.COM
Status: clientTransferProhibited
Updated Date: 14-aug-2012
Creation Date: 15-jul-2012
Expiration Date: 15-jul-2013

The rise of Kelihos
If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day.

But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate.

For example:

hXXp://pevhyvys.ru/newavr3.exe

MD5: 19b4bb3dde20da3d6602165a25186a00
File size: 741.0 KB ( 758784 bytes )
File name: newavr3.exe
File type: Win32 EXE
Detection ratio: 1 / 46 (detected by Malwarebytes exclusively at the time of this post)
Reference: Virustotal

So what can a network administrator do to mitigate this threat?

  • Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
  • Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
  • Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
  • Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
  • Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ

Kelihos Back In Town Using Fast Flux

In September 2011, Microsoft announced the takedown of the Kelihos botnet. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild.

Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.

*** The Kelihos Spambot ***

Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:

As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary:

hXXp://ejywqem.eu/rtce003.exe
hXXp://etrodhy.eu/jucheck.exe

The first URL will return a binary:

Filename: rtce003.exe
MD5 hash: 1393e4f5d0691e3de07eeda1b1451b89
File size: 886’272 bytes
AV detection: 10 / 43

The mentioned file will install the WinPcap library, which is being used by the malware to sniff the network traffic on the victims computer:

Origin process (executing process) Affected file
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Temp\_ex-68.exe C:\WINDOWS\system32\drivers\npf.sys

By sniffing the network traffic, the malware is able to steal sensitive data like credentials.
The second URL (jucheck.exe) will just return a HTTP 200 OK. As soon as the WinPcap library has been installed, the malware will start to communicate with other drones on port 80 (using it’s own protocol). It’s some kind of P2P protocol used by the malware to get a list of other drones participating in the Kelihos botnet.

To begin it’s spam operations, Kelihos will connect to another drone using HTTP and a random URL string:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre

*encrypted-data*

HTTP/1.1 200
Server: Apache
Content-Length: 55002
Content-Type:
Last-Modified: X
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 04 Mar 2012 X
Last-Modified:Sun, 04 Mar 2012 X
Accept-Ranges:bytes

*encrypted-data*

This communication is being used to get the spam templates as well as the email address list. Afterwards the spambot will start to send out spam mails (click to enlarge):

Currently the Kelihos botnet seems to send out German stock spam.

*** Kelihos FastFlux botnet ***

Let’s take a closer look at the .eu domains used by Kelihos. What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet, as all the records has a TTL of 0:

$ dig ejywqem.eu A

;; QUESTION SECTION:
;ejywqem.eu. IN A

;; ANSWER SECTION:
ejywqem.eu. 0 IN A 88.132.1.15

The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call Double-Flux:

$ dig ejywqem.eu NS

;; QUESTION SECTION:
;ejywqem.eu. IN NS

;; ANSWER SECTION:
ejywqem.eu. 0 IN NS ns6.ejywqem.eu.
ejywqem.eu. 0 IN NS ns1.ejywqem.eu.
ejywqem.eu. 0 IN NS ns2.ejywqem.eu.
ejywqem.eu. 0 IN NS ns3.ejywqem.eu.
ejywqem.eu. 0 IN NS ns4.ejywqem.eu.
ejywqem.eu. 0 IN NS ns5.ejywqem.eu.

When taking a look at the geo location of this Fast Flux botnet, it seems that the botnet is mainly located in eastern Europe:

Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down). Currently, there are several domain names hosted on this Fast Flux botnet:

awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

All mentioned domain names are registered through OnlineNIC (a domain name registrar located in the US):

Domain: zoneczu

Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
Name: Breeze Wu
Organisation: OnlineNIC Inc.
Language: en
Phone: +86.15306099988
Fax: +852.58044444
Email: Tech@regionalofficecenter.com

Registrar:
Name: OnlineNIC Inc
Website: www.onlinenic.com

Name servers:
ns5.pizzebu.com
ns6.pizzebu.com

The domain name used to resolve these malicious domains is registered through internet.bs (a domain name registrar located in the Bahamas):

Domain Name: PIZZEBU.COM
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.PIZZEBU.COM
Name Server: NS2.PIZZEBU.COM
Name Server: NS3.PIZZEBU.COM
Name Server: NS4.PIZZEBU.COM
Name Server: NS5.PIZZEBU.COM
Name Server: NS6.PIZZEBU.COM
Status: clientTransferProhibited
Updated Date: 13-jan-2012
Creation Date: 13-jan-2012
Expiration Date: 13-jan-2013

This Fast Flux botnet reminds me of the Fast Flux botnet used by Waledac which was also using a TTL of 0 for their DNS records.

*** Detection ***

As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos. The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.

In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request:

GET /jucheck.exe HTTP/1.0
Host: etrodhy.eu

This particular HTTP request is missing several HTTP fields which a normal web browser would use:

  • Several HTTP fields like User-Agent, Accept-Language, Accept-Encoding are missing
  • The URL jucheck.exe seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs

In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer:

GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1
Host: 79.132.177.87
Content-Length: 1464

I’m not a RFC specialist, but I’ve never seen a HTTP GET request in combination with the Content-Length header. I would only expect the HTTP Content-Length header from the server (response) or when sending a HTTP POST request to the server. Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.

Happy Kelihos hunting!

*** Further reading ***

*** Further reading (for the Kelihos botnet masters) ***

Follow me on Twitter:
https://twitter.com/abuse_ch




economics-recluse
Scene
Urgent!