Kelihos, the peer-to-peer botnet, keeps coming up with new capabilities that enable it to continue growing and pushing spam, harvesting credentials and even stealing Bitcoins.
Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been a spam source or a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware.
“Personally, I haven’t seen anything ever use a composite blocking list before, but it’s not unheard of with other types of malware,” said Zscaler security researcher Chris Mannon. “A lot of Trojans or viruses will ping legitimate services to gain more information about a victim.”
Since security researchers often share intelligence data such as this, an attacker knows that if an IP address passes muster with one service, it likely would do so with most others.
“The attacker will know whether the victim is known to the security community. We share everything, that’s part of what these services are about. I can look up anything to determine if it’s bad,” Mannon said. “If an attacker has found a victim with a good IP reputation, then they can sully it by spamming from that location.”
Right now Kelihos is taking advantage of Spamhaus, the Mail Abuse Prevention System, and a few other free vendor black list services.
“I know that if Spamhaus hasn’t blocked the victim IP yet, I know the other services won’t block it either; then the botnet could spam from that location,” Mannon said.
Kelihos’ tactic of using peer-to-peer communication rather than a centralized command and control server or servers also contributes to its staying power. Peer-to-peer botnets are difficult to take down and are finding favor not only with spam bots, but criminal gangs involved in financial fraud, identity theft or denial-of-service attacks. A P2P botnet is resilient not only against law enforcement, but security analysts who want to enumerate these networks of compromised computers or disrupt their services.
Earlier this month, researchers at the Malware Must Die blog reported other infrastructure changes with Kelihos, like it switched its DNS from .RU to .com top level domains and identified a dozen .com domains and hundreds more .ru sites removed from the Internet, all of which were found on a Bahamian web host. It is also employing different file and registry names than in the past to help it avoid detection, according to Lavasoft.
Recent research examined the resilience of peer to peer botnets, in particular Kelihos, ZeroAccess and Zeus, and found a number of reasons why it has legs. Often, P2P botnets use custom and encrypted protocols for communication that makes analysis a challenge. Also, they make good use of a peer reputation scheme to determine whether bots are trustworthy; those that are not end up blacklisted. Others are even more sophisticated, using fast-flux DNS or domain generation algorithms to protect the botnet from disruptions.