The alleged Russian botmaster behind the Kelihos botnet was arrested while on vacation in Spain, putting an end to a seven-year cybercrime operation that foisted hundreds of millions of spam messages on consumers, as well as a dangerous array of banking malware and ransomware.
Pyotr Levashov, also known as Peter Severa and a handful of other aliases, was arrested on Sunday by authorities in Barcelona. The U.S. Department of Justice yesterday released a statement acknowledging international cooperation between U.S. and foreign authorities, as well as the Shadow Server Foundation and Crowdstrike, in making the arrest and seizing infrastructure used to support Kelihos and Levashov’s operations.
“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.
Kelihos surfaced in 2010 after the takedown of the Storm botnet. For years, it had targeted Windows machines with nonstop spam pushing counterfeit drugs, pump-and-dump stock scams and other fraudulent schemes. It was also proficient is spreading banking malware such as Vawtrak and Kronos, and a number of different ransomware families.
The DoJ said it obtained a Rule 41 warrant to facilitate the Kelihos takedown.
“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”
The DoJ said it began blocking Kelihos domains on Saturday, less than 24 hours before Levashov’s arrest.
Levashov, of St. Petersburg, is No. 7 of Spamhaus’ list of the worst spammers, and is alleged to have been partners with American spammer Alan Ralsky.
Kelihos has survived a number of past takedowns, including a live sinkholing of thousands of bots that happened during the 2013 RSA Conference conducted by former Kaspersky Lab researcher Tillmann Werner. Werner and Stefan Ortloff had previously been part of previous Kelihos shutdowns in 2011 and 2012 and published a post-mortem on the shutdowns in 2013 that showed a steady downturn in new Kelihos bots.
The botnet resurfaced time and time again and spread malware that harvested credentials from infected computers, including usernames and passwords for online banking accounts.
The DoJ said it obtained civil and criminal court orders from the District of Alaska that granted authorities permission to redirect command and control requests from bots to servers controlled by law enforcement. They were also entitled to block any commands sent by the botmaster in attempt to regain control of his network and bots.
“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”