Threat Research & Response Blog
For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool. This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of the Rustock and Waledac takedowns. This operation extends previous legal tactics in addition to our various technical measures in that we are, for the first time, naming a defendant in a civil case involving a botnet. The intent of this tactic is sending a strong message to online criminals that accountability still applies on the Internet and that it is our goal to make online crime riskier and more expensive for those involved. You can see more details on the legal aspects of this operation in the blog of our partners in the Microsoft Digital Crimes Unit.
The Win32/Kelihos malware family distributes spam email messages that may contain links to web sites serving installers of Kelihos itself. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as bootstrapping to the botnet, sending spam emails promoting bogus products or services, stealing sensitive information, or downloading and executing arbitrary files.
Figure 1 below shows the monthly reported counts from our telemetry for the Win32/Kelihos family. It made a big bang around the holidays last year by launching a holiday-themed spam campaign that distributed e-cards containing malicious links pointing to servers hosting Kelihos installers. As you can see in the chart, ever since then, it’s been slowly trying to grow in size.
Figure 1 Win32/Kelihos Detection Reports
We have observed Win32/Kelihos protecting itself by employing several techniques such as server-side polymorphism, encrypted communication (a sample of which is shown in Figure 2), fast-flux, and dynamic reconfiguration. Moreover, it is able to persistently connect to the botnet using an updatable peer list. It is also capable of updating itself so that it can utilize new or improved versions of itself and to perform additional tasks, if there are any. In our investigation of this botnet’s command and control infrastructure, and as we allege in our complaint, we identified more than 3,700 subdomains being hosted in the Czech Republic by a single hoster. This same hoster had more than 215,000 subdomains hosting malware. In May of 2011, Google temporarily blocked more than 200,000 of these but reinstated the subdomains after the defendant allegedly corrected the problem.
Figure 2 Encrypted Communication
As a ploy to avoid detection by antivirus or security products, the binaries distributed by Win32/Kelihos are also wrapped in obfuscators that make use of anti-emulation tricks. In addition, Kelihos randomizes the header values of its HTTP request messages to make it harder for NIS/IPS products to catch them. Aside from randomizing the name of the HTM files, Kelihos has also taken to using different values for the User-Agent string of each subsequent message.
Over the past months, Kelihos has launched various spam campaigns promoting scams or dubious products. Using reconfigurable email templates and lists, Kelihos is easily able to update its spam runs. This is why it is also possible for more than one spam campaign to run in the Kelihos botnet at any given time. Figure 3 below shows an example of a spam email template that is being distributed in the Kelihos botnet at the time of writing this blog post:
Received: from unknown (HELO %^C6%^I^%.%^I^%.%^I^%.%^I^%^%) ([%^V6^%])by %^A^% with ESMTP; %^D%^R20-300^%^%Message-ID: <%^O%^V6^%:%^R3-50^%^%%^V0^%>From: "%^Fmynames^% %^Fsurnames^%" <%^Fnames^%@%^Fdomains^%>To: <%^0^%>Subject: %^Fskli_subj^%Date: %^D-%^R30-600^%^%MIME-Version: 1.0Content-Type: text/plain;format=flowed;charset="KOI8-R";reply-type=originalContent-Transfer-Encoding: 8bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.%^C7%^Foutver.6^%^%X-MimeOLE: Produced By Microsoft MimeOLE V6.00.%^V7^%ε╧╫╧╙╘╔ ╔┌ Γ┼╠┴╥╒╙╔:- ╨╧╠╔╘╔╦┴ ╔ ▄╦╧╬╧═╔╦┴- ╧┬▌┼╙╘╫╧ ╔ ╦╒╠╪╘╒╥┴- ┴╦├╔╔ ╔ ┌┴┬┴╙╘╧╫╦╔- ╞╧╘╧╚╥╧╬╔╦┴╔ ═╬╧╟╧┼ ─╥╒╟╧┼: %^Fskli_link^%
Figure 3 Spam Email Template
The above template was used to distribute spam containing links to a website of a political activist group in Eastern Europe.
Another payload of Kelihos is to steal sensitive information from the compromised computer. This includes attempting to harvest email addresses, FTP login credentials, and Bitcoin wallets, among other things. Our investigation also revealed that in addition to hosting Kelihos, defendants’ cz.cc domain has previously been investigated for delivering MacDefender, a type of rogue security software which infects Apple’s operating system.
It is interesting to note that the Kelihos botnet shares significant similarities of its code with the Win32/Waledac botnet (Waledac was the target of our first Project MARS action- Operation b49). These similarities have caused some to refer to Kelihos as “Waledac 2.0”. While similar to Waledac, the Kelihos botnet is more complicated in many ways. In spite of this complexity, we are hopeful that we will disrupt a meaningful portion of the botnet in addition to naming a defendant. Both of these are important steps towards deterring online crime globally.
If you believe a computer under your care may be infected with Kelihos or other malicious software, we recommend that you leverage antivirus software from a software provider you trust. You can find information about Project MARS as well as additional support information at http://support.microsoft.com/botnets.