DOJ Disrupts Kelihos Botnet Blocking Domains and Making an Arrest | eWeek

Kelihos Botnet Disrupted as Russian Hacker is Arrested

Kelihos Botnet Disrupted as Russian Hacker is Arrested
Apr 11, 2017
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

The U.S Department of Justice announced on April 10 that it has taken several steps to dismantle the Kelihos botnet, that has been actively attacking users around the world. Among the actions taken by the DOJ is the arrest of the alleged individual that was helping to operate the Kelihos botnet.

The DOJ complaint alleges that Russian citizen Peter Levashov is, “…one of the world’s most notorious criminal spammers.” Levashov was already known to the U.S law enforcement and had previously been charged in connection with operating the Storm botnet in 2009. Anti-spam organization Spamhaus ranks Levashov at number six, on its list of the world’s ten worst spammers. Levashov was apprehended in Spain on April 9 at the behest of U.S law enforcement officials, in connection with his activities related to the Kelihos botnet. The DOJ complaint claims that since 2010, Levashov has been the operator of the Kelihos botnet, sending large volumes of spam globally as well as stealing user credentials.

According to the DOJ, there were several different methods used by Levashov and the Kelihos botnet to steal information.

“First, Kelihos searches text-based files stored on victim computers for email addresses,” the DOJ complaint states. “Second, Kelihos searches locations on victim computers for files known to contain usernames and passwords, including files associated with Internet browsers Chrome, Firefox and Internet Explorer.”

Passwords and associated email addresses collected by Kelihos were all transmitted back to Levashov. Additionally, the DOJ alleges that Kelihos also installs a packet capture utility called WinPCAP on infected machines, which captures network traffic from victims. With WinPCAP, Kelihos was able to discover additional username and password information, to further the botnet’s spam and criminal activities. With all of its captured emails, the Kelihos botnet was also actively being used in ransomware campaigns as well. Levashov allegedly was selling the botnet as a service, to send ransomware emails, charging third-party attackers $500 per million emails.

Beyond just arresting Levashov, law enforcement has also taken actions to further disrupt the operations of the Kelihos botnet. The DOJ credits security vendor CrowdStrike, as well as The Shadow Server Foundation, with providing technical assistance in support of disrupting the Kelihos botnet.

“On April 8, 2017, we started the extraordinary task of blocking malicious domains associated with the Khelios botnet to prohibit further infections,”  FBI Special Agent Marlin Ritzman, said in a statement.

As part of the operation blocking the Kelihos botnet, the government is now redirecting infected systems to a substitute server. All the IP addresses of the systems that connect to the substitute server will be recorded, in an effort to help remove Kelihos malware from infected systems.

The Kehilos botnet has undergone several evolutions over the years and it has survived previous attempts to shut it down entirely as well. In September 2011, Microsoft received a court order to shut down Kelihos. In March 2012, security experts warned that despite legal actions and takedown attempts, the Kehilos botnet was still active. It remains to be seen whether this latest shutdown of Kelihos will keep the botnet out of operation for good, or if it will re-appear once again.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.