At the beginning of 2012, we learned that the cybercriminals behind Kelihos managed to “resurrect” the botnet by using a new version of the Kelihos malware. In March, Kaspersky disabled over 100,000 bots, but that didn’t discourage the criminal group from updating it.
According to Abuse.ch, compared to the version that was making the rounds back in March, the variant seen this month comes with some significant improvements.
First of all, instead of utilizing .eu top-level domains for malware distribution, Kelihos now uses .ru domains. The switch appears to have been made sometime over the past summer, the domains being registered through a company called REGGI-RU.
Another interesting feature, implemented on October 10, 2012, allows the threat to spread via removable drives, such as USB sticks.
Similar to the old version, FastFlux domains and P2P networks are still utilized. Also, the sponsoring registrar for name server domains is still the same: INTERNET.BS.
The services provided by the Bahamas-based company are used to register the domain names of the name servers that provide DNS resolution to the .ru domains.
Experts explain that Kelihos is still a highly efficient spam botnet – using up to 150,000 unique spamming IP addresses per day – because it’s not easy to shut down, its infection binaries are still undetected by many antivirus solutions, and it has a very effective way of spreading.
The fact that it uses the double FastFlux for the malware distribution domains and the fact that it relies on P2P for communications makes it very difficult to disrupt.
In order to mitigate this threat, network administrators should ensure that the operating systems are properly patched up, restrict outbound SMTP connections, utilize port security on devices to prevent Kelihos from spreading, and restrict outbound connections to port 80 TCP.
They’re also advised to restrict access to domain names hosted on dynamic IP addresses and to ones whose DNS servers are hosted on dynamic IP addresses.