Kelihos Botnet Disrupted as Russian Hacker is Arrested

The alleged operator of the Kelihos botnet has been arrested, as the DOJ aims to disrupt the botnet's spam and ransomware operations.

The U.S Department of Justice announced on April 10 that it has taken several steps to dismantle the Kelihos botnet, that has been actively attacking users around the world. Among the actions taken by the DOJ is the arrest of the alleged individual that was helping to operate the Kelihos botnet.

The DOJ complaint alleges that Russian citizen Peter Levashov is, "…one of the world's most notorious criminal spammers." Levashov was already known to the U.S law enforcement and had previously been charged in connection with operating the Storm botnet in 2009. Anti-spam organization Spamhaus ranks Levashov at number six, on its list of the world's ten worst spammers. Levashov was apprehended in Spain on April 9 at the behest of U.S law enforcement officials, in connection with his activities related to the Kelihos botnet. The DOJ complaint claims that since 2010, Levashov has been the operator of the Kelihos botnet, sending large volumes of spam globally as well as stealing user credentials.

According to the DOJ, there were several different methods used by Levashov and the Kelihos botnet to steal information.

"First, Kelihos searches text-based files stored on victim computers for email addresses," the DOJ complaint states. "Second, Kelihos searches locations on victim computers for files known to contain usernames and passwords, including files associated with Internet browsers Chrome, Firefox and Internet Explorer."

Passwords and associated email addresses collected by Kelihos were all transmitted back to Levashov. Additionally, the DOJ alleges that Kelihos also installs a packet capture utility called WinPCAP on infected machines, which captures network traffic from victims. With WinPCAP, Kelihos was able to discover additional username and password information, to further the botnet's spam and criminal activities. With all of its captured emails, the Kelihos botnet was also actively being used in ransomware campaigns as well. Levashov allegedly was selling the botnet as a service, to send ransomware emails, charging third-party attackers $500 per million emails.

Beyond just arresting Levashov, law enforcement has also taken actions to further disrupt the operations of the Kelihos botnet. The DOJ credits security vendor CrowdStrike, as well as The Shadow Server Foundation, with providing technical assistance in support of disrupting the Kelihos botnet.

"On April 8, 2017, we started the extraordinary task of blocking malicious domains associated with the Khelios botnet to prohibit further infections,"  FBI Special Agent Marlin Ritzman, said in a statement.

As part of the operation blocking the Kelihos botnet, the government is now redirecting infected systems to a substitute server. All the IP addresses of the systems that connect to the substitute server will be recorded, in an effort to help remove Kelihos malware from infected systems.

The Kehilos botnet has undergone several evolutions over the years and it has survived previous attempts to shut it down entirely as well. In September 2011, Microsoft received a court order to shut down Kelihos. In March 2012, security experts warned that despite legal actions and takedown attempts, the Kehilos botnet was still active. It remains to be seen whether this latest shutdown of Kelihos will keep the botnet out of operation for good, or if it will re-appear once again.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.