Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins.
According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been flagged as a spam source or as a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware.
“Personally, I haven’t seen anything ever use a composite blocking list before, but it’s not unheard of with other types of malware,” said Zscaler security researcher Chris Mannon. “A lot of Trojans or viruses will ping legitimate services to gain more information about a victim.”
Since security researchers often share intelligence data such as this, an attacker knows that if an IP address passes muster with one service, it likely would do so with most others.
“The attacker will know whether the victim is known to the security community. We share everything, that’s part of what these services are about. I can look up anything to determine if it’s bad,” Mannon said. “If an attacker has found a victim with a good IP reputation, then they can sully it by spamming from that location.”
Spamhaus, the Mail Abuse Prevention System, and a few other free vendor black list services are being leveraged by Kelihos, currently.
“I know that if Spamhaus hasn’t blocked the victim IP yet, I know the other services won’t block it either; then the botnet could spam from that location,” Mannon said.
Kelihos’ tactic of using peer-to-peer communication rather than a centralized command and control server or servers also contributes to its staying power. Peer-to-peer botnets are difficult to take down and are finding favor not only with spam bots, but criminal gangs involved in financial fraud, identity theft or denial-of-service attacks. A P2P botnet is resilient not only against law enforcement, but security analysts who want to enumerate these networks of compromised computers or disrupt their services.
Earlier this month, researchers at the Malware Must Die blog reported other infrastructure changes with Kelihos, particularly that it had switched its DNS from .RU to .com top level domains and identified a dozen .com domains and hundreds more .ru sites that were removed from the Internet, all of which were found on a Bahamian web host. It is also employing different file and registry names than in the past to help it avoid detection, according to Lavasoft.
Recent research examined the resilience of peer to peer botnets, in particular Kelihos, ZeroAccess and Zeus, and found a number of reasons why it has legs. Often, P2P botnets use custom and encrypted protocols for communication that makes analysis a challenge. Also, they make good use of a peer reputation scheme to determine whether bots are trustworthy; those that are not are blacklisted. Others are even more sophisticated, using fast-flux DNS or domain generation algorithms to protect the botnet from disruptions.
At RSA Conference 2013, CrowdStrike researcher Tillmann Werner did a live takedown of Kelihos on stage during a presentation. He managed to poison a middle layer of P2P proxy servers that communicate with the attacker by writing a sinkhole daemon that behaved like a bot. The daemon would send poisoned peer lists to the other bots it communicated with, specifically blacklisted sets of IP addresses, sending them toward a sinkhole and oblivion.
This article was updated to clarify comments made by Chris Mannon.
