Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques.
*** The Kelihos Spambot ***
Recently, I spotted a sample of Kelihos in my sandnet, so I decided to have a short look at it:
As soon the victims computer has been infected successfully, the malware will try to drop an additional file by calling a .eu domain which seem to be hard coded in the infection binary:
The first URL will return a binary:
MD5 hash: 1393e4f5d0691e3de07eeda1b1451b89
File size: 886’272 bytes
AV detection: 10 / 43
The mentioned file will install the WinPcap library, which is being used by the malware to sniff the network traffic on the victims computer:
|Origin process (executing process)||Affected file|
By sniffing the network traffic, the malware is able to steal sensitive data like credentials.
The second URL (jucheck.exe) will just return a HTTP 200 OK. As soon as the WinPcap library has been installed, the malware will start to communicate with other drones on port 80 (using it’s own protocol). It’s some kind of P2P protocol used by the malware to get a list of other drones participating in the Kelihos botnet.
To begin it’s spam operations, Kelihos will connect to another drone using HTTP and a random URL string:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Date:Sun, 04 Mar 2012 X
Last-Modified:Sun, 04 Mar 2012 X
This communication is being used to get the spam templates as well as the email address list. Afterwards the spambot will start to send out spam mails (click to enlarge):
Currently the Kelihos botnet seems to send out German stock spam.
*** Kelihos FastFlux botnet ***
Let’s take a closer look at the .eu domains used by Kelihos. What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet, as all the records has a TTL of 0:
;; QUESTION SECTION:
;ejywqem.eu. IN A
;; ANSWER SECTION:
ejywqem.eu. 0 IN A 188.8.131.52
The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call Double-Flux:
;; QUESTION SECTION:
;ejywqem.eu. IN NS
;; ANSWER SECTION:
ejywqem.eu. 0 IN NS ns6.ejywqem.eu.
ejywqem.eu. 0 IN NS ns1.ejywqem.eu.
ejywqem.eu. 0 IN NS ns2.ejywqem.eu.
ejywqem.eu. 0 IN NS ns3.ejywqem.eu.
ejywqem.eu. 0 IN NS ns4.ejywqem.eu.
ejywqem.eu. 0 IN NS ns5.ejywqem.eu.
When taking a look at the geo location of this Fast Flux botnet, it seems that the botnet is mainly located in eastern Europe:
Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down). Currently, there are several domain names hosted on this Fast Flux botnet:
All mentioned domain names are registered through OnlineNIC (a domain name registrar located in the US):
Visit www.eurid.eu for webbased whois.
Registrar Technical Contacts:
Name: Breeze Wu
Organisation: OnlineNIC Inc.
Name: OnlineNIC Inc
The domain name used to resolve these malicious domains is registered through internet.bs (a domain name registrar located in the Bahamas):
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.PIZZEBU.COM
Name Server: NS2.PIZZEBU.COM
Name Server: NS3.PIZZEBU.COM
Name Server: NS4.PIZZEBU.COM
Name Server: NS5.PIZZEBU.COM
Name Server: NS6.PIZZEBU.COM
Updated Date: 13-jan-2012
Creation Date: 13-jan-2012
Expiration Date: 13-jan-2013
This Fast Flux botnet reminds me of the Fast Flux botnet used by Waledac which was also using a TTL of 0 for their DNS records.
*** Detection ***
As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos. The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.
In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request:
This particular HTTP request is missing several HTTP fields which a normal web browser would use:
- Several HTTP fields like User-Agent, Accept-Language, Accept-Encoding are missing
- The URL jucheck.exe seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs
In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer:
I’m not a RFC specialist, but I’ve never seen a HTTP GET request in combination with the Content-Length header. I would only expect the HTTP Content-Length header from the server (response) or when sending a HTTP POST request to the server. Therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”.
Happy Kelihos hunting!
*** Further reading ***
- Microsoft blog: Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case
- Kaspersky: Kelihos/Hlux botnet returns with new techniques
- Microsoft Threat Encyclopedia: W32/Kelihos
*** Further reading (for the Kelihos botnet masters) ***
Follow me on Twitter: