PINDROP BLOG

FBI Disrupts Notorious Kelihos Botnet

The Justice Department has disrupted the Kelihos botnet, one of the more prolific and long-running spam and malware networks, by sinkholing the botnet’s command-and-control servers after the arrest of a Russian man officials allege is Kelihos’s operator.

The botnet has been operating since at least 2010 and has infected hundreds of thousands of computers around the world, mainly in the service of a massive spam operation. Kelihos has been responsible for a large slice of the spam clogging the Internet for many years, and officials at the Justice Department on Monday filed a civil complaint against Peter Yuryevich Levashov, who was arrested last weekend in Spain. The complaint accuses Levashov of running Kelihos and using infected computers as part of his spam business.

“The Defendant is one of the world’s most notorious criminal spammers who was first indicted in the Eastern District of Michigan for email and wire fraud more than a decade ago. The charges arose out of the Defendant’s use of illegal spam to promote pump-and-dump penny stock schemes. In 2009, the Defendant was again the subject of criminal charges, this time in the District of Columbia. The D.C. criminal complaint charges the Defendant with computer fraud violations arising from his operation of the ‘Storm’ botnet, a predecessor to Kelihos that was also used to distribute illegal spam,” the complaint says.

“The Defendant also profits by using Kelihos to directly install malware on victim computers.”

As part of the operation against Kelihos, the Justice Department took down the C2 servers used to control the botnet and blocked the malware on infected machines from getting any new commands. The complaint against Levashov alleges that he used the malware installed on compromised machines to harvest victims’ usernames and passwords, which he then used to access victims’ email and other accounts. Kelihos also was used to send emails containing ransomware and some banking Trojans from time to time.

“In addition to using Kelihos to distribute spam, the Defendant also profits by using Kelihos to directly install malware on victim computers. During FBI testing, Kelihos was observed installing ransomware onto a test machine, as well as ‘Vawtrak’ banking Trojan (used to steal login credentials used at financial institutions), and a malicious Word document designed to infect the computer with the Kronos banking Trojan,” the complaint says.

Justice Department officials said the disruption of Kelihos should have a major effect on the distribution of spam and malware.

“The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks. The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.

Image: Kellinahandbasket, CC By license.