Search This Blog

Showing posts with label Kelihos Botnet. Show all posts

90+ Russian Malicious domains used by Kelihos group taken down by Malware Must Die

Exclusive: Malware Must Die(MMD), the team which is dedicated to Malware analysis research, has taken down more than 90 Russian domains which have been confirmed as malicious.

It is part of their ongoing operation named "Operation Tango Down", an operation that deactivate the malicious domains with the help of Authorities - Several malware domains have been suspended.

Today, MMD announced that they are shutting down 97 .Ru Domains that serves the notorious Kelihos Trojan for the Red Kit Exploit Kit. 

Suspended Malicious .Ru domains - Image Credits: E Hacking News

According to the blog post , "the Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines".

You can find further details and full list of suspended domains at their blog: http://malwaremustdie.blogspot.jp

Kelihos/Hlux botnet comeback with new Techniques


Microsoft and Kaspersky Lab took down the Kelihos botnet last September using "sinkholing" method, but Kaspersky Lab reports that Kelihos botnet comeback with a new avatar.

The earlier version of Kelihos botnet has reportedly infected more than 41,000 computers around the world, not as large as Rustock botnet, but it was capable of sending 3.8 billion spam mails per day.

Recently, Kaspersky Lab come across a new samples of Kelihos botnet, come with a new techniques.  This new variant use the updated Encryption key method and algorithms.

After investigating the malware samples, Kaspersky lab come to the following conclusion: "It is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions. The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list. "

"We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end." Kaspersky Lab says.

Kelihos botnet suspect "Andrey Sabelnikov" proclaims innocence

 Andrey Sabelnikov, a Russian man who accused by Microsoft of being behind the Kelihos botnet attacks said on Friday he is innocent. 

Few days back, Microsoft said The 31-year-old software engineer  resident of St Petersburg    created the Kelihos botnet and used the malware to control control, operate, maintain and grow the Kelihos botnet.

"I did not commit this crime, has never participated in the management of botnets and any other similar programs, and especially not extracted from it any benefit." said Sabelnikov in livejournal post.

Microsoft said it stood by the accusation it made earlier this month.

"As this is a case pending in court, we cannot comment further except to say that we look forward to seeing Mr Sabelnikov in court so we can continue this discussion," said Richard Boscovich, senior attorney for Microsoft's Digital Crime Unit.

Microsoft identifies a new operator of Kelihos botnet

After Four months of investigation into Kelihos botnet, Microsoft identified a new defendant who allegedly responsible for the operations of the Kelihos botnet.

Andrey Sabelnikov(software engineer and project manager at a company that provided firewall, antivirus and security software), resident of St Petersburg, Russia,  has been named in an amended complaint filed with U.S. District Court by Microsoft's Digital Crimes Unit.


According to the complaint, Sabelnikov allegedly registered ,723 "cz.cc" website subdomains, and misused those subdomains to control the Botnet.

According to Sabelnikov public LinkedIn profile, from 2005 to 2007 he was an employee of  Agnitum , a Russian security firm well-known for its firewall software.

Micorsoft shut down the Kelihos botnet with their partners Kyrus Tech Inc., Kaspersky Labs in september. At that time,Kelihos compromised about 41,000 infected computers worldwide,capable of sending up to 3.8 billion spam mails per day. Even Though they take down the kelihos botnet, still computers are infected with those malwares,use microsoft security tools to scan your system.