Researchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection. The botnet also is using an advanced fast-flux capability to hide the domains it uses for command-and-control and malware distribution.
This is the third time the Kelihos botnet has reared its head. The first two instances, security researchers were able to sinkhole the domains that Kelihos was using, effectively crippling the attackers’ ability to communicate with infected machines. The first Kelihos botnet takedown in 2011 was a joint effort between Kaspersky Lab and Microsoft and the teams were able to reverse-engineer the communications protocol that the bots use. Kelihos, also known as Hlux, is a peer-to-peer botnet, meaning that there is no central server or servers that spit out new commands for the bots.
Rather, the network relies on a complex system that governs which domains the bots contact in order to get new malware samples, instructions and other information. Researchers at FireEye and Deep End Research have been analyzing new samples of the malware used in the Kelihos network and say that the botnet is back on the rise. Once the malicious code is on a machine, it calls out to a domain in Russia. The malware, known as Trojan Nap, then sets a specific parameter that will have the malware’s operation timeout after 10 minutes.
“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.
Kaspersky Lab researchers have been analyzing the malware and the botnet’s structure and have found that at about midday on Monday, there were more than 8,500 unique IP addresses behind wowrizep.ru, one of the Russian domains being used by the Kelihos botnet for fast-flux operations. That number isn’t exact, though, as there could be many IPs behind NAT devices.
The malware is designed to perform a variety of different functions, including stealing passwords saved in browsers, sending spam, stealing passwords from various FTP applications and stealing BitCoin data. The domains used in the operation are located in Russia, and they resolve to a variety of different IP addresses each time a bot connects.
“The two domains, ‘wowrizep.ru’ and ‘cagremub.ru,’ appear to be a part of the fast flux network. Normally, fast flux networks are used when the attacker wants to be extra careful to hide their identity. In contrast to a typical fast flux setup where multiple IPs are returned in a DNS response, this one returns a single IP, which looks like another attempt to appear normal,” the FireEye researchers said.
“After the first execution the downloaded code resets the permission to hide itself and opens high TCP ports for listening. Some of the ports that we have observed are 49163, 49172, and 49175. It then communicates to the external domains.”
This iteration of the Kelihos botnet is a new version of the network and not a case of the older infrastructure coming back to life. There was a second version of Kelihos that emerged last year, a few months after the first takedown operation. The second takedown of Kelihos happened in March.