The US Justice Department has launched a coordinated takedown operation to disrupt and dismantle the Kelihos botnet (also known as Waledac). The operation follows on from the arrest in Spain of a Russian man, Peter Levashov, whom the FBI alleges is the mastermind behind Kelihos and “one of the world's most notorious criminal spammers.”
As part of the takedown operation, the FBI has obtained permission to sinkhole Kelihos-infected computers and log their IP addresses, which will be passed on to “those who can assist with removing the Kelihos malware” including internet service providers. In addition to this, the FBI has also been blocking domains associated with Kelihos to prevent further infections.
Symantec has been actively monitoring Kelihos for a number of years and can confirm that it unexpectedly ceased its spamming operations on Friday, April 7. Prior its falling quiet, Kelihos had been involved in two spam campaigns, promoting pharmaceutical products and a Bitcoin exchange. It has also been involved in a long-running phishing campaign designed to steal banking credentials
Resilient threat that has survived several takedown attempts
Kelihos/Waledac has been active since 2008. In that time, its main area of activity has been spamming operations, but it has also been involved in a range of other malicious activity such as downloading and running executables, acting as a network proxy, collecting credentials from compromised computers, and performing denial of service (DoS) attacks.
On several occasions, the botnet has been severely disrupted by takedown attempts but always managed to rebuild itself and return. Its original incarnation was the subject of a Microsoft-led takedown operation in 2010 in which hundreds of command and control (C&C) domains were seized.
The botnet’s controllers rebuilt its operations before it was hit by a second takedown in September 2011. Kelihos once again re-emerged only to be hit by a coordinated sinkholing operation in 2012 in which a significant number of infected computers were freed from the botnet’s control.
Persistent offender linked to multiple campaigns
In the aftermath of this takedown, Kelihos once again rebuilt its operations and regained its position as one of the cybercrime underground’s biggest spamming operations. Its activities have repeatedly come to Symantec’s attention in recent years. For example, it was quick to capitalize on the celebrity iCloud photo leak, almost immediately launching a phishing email campaign aimed at luring victims into disclosing their Apple IDs and passwords. It sent waves of spam emails purporting to be from Apple, informing the victim that a purchase had been made using their account on the iTunes Store. The email said that the victim’s account had been used to purchase a film on a computer or device that hadn’t previously been linked to their Apple ID. It seemed likely the controllers of the botnet were attempting to exploit public fears about the security of Apple IDs to lure people into surrendering their credentials.
In January 2016, Symantec highlighted Kelihos's role in a pump and dump stock spam campaign that potentially led to a 100 percent gain in the targeted stock price. Starting on November 7, 2015, Kelihos dispatched daily spam runs promoting the stock of marijuana cultivation company Indie Growers Association (stock symbol: UPOT) over an 11-day period. By the end of the spam campaign, the stock price had risen from US$0.08 to $0.16 before following the usual pump and dump pattern of dropping off in price once again.
Down, but is it out?
Over the past nine years, Kelihos has been a major presence on the cybercrime scene, featuring in major spam campaigns and a range of malicious activity.
The botnet has already survived a number of takedown attempts and, while Kelihos appears to have gone silent in the aftermath of this operation, time will tell whether it has finally been dealt a fatal blow.
Customers of Symantec’s Cloud email security service are protected against these spam messages. Symantec and Norton products detect Kelihos/Waledac samples through the following detections:
Intrusion prevention system