Deep End Research noted that 1,500+ fast-flux domains are associated with the botnet, in the capacity of command and control; it’s a peer-to-peer network, lacking any one point of centralization. To get an idea of the sacle, according to Threatpost, Kaspersky Lab researchers have been analyzing the malware and botnet's structure and have found there are in total more than 8,500 unique IP addresses behind just one of the Russian domains being used: wowrizep.ru.
And that’s not the most active domain. “The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains,” said Deep End Research, in its blog. “The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down, the botnet is definitely on the rise again.”
Kaspersky told Threatpost that the malware is designed to do many things in the name of profit, including stealing online credentials, spamming and stealing BitCoin data.
While this time around Kelihos (a.k.a. Hlux) first caught notice via the “Nap” function, in which it employs extended sleep calls to evade automated analysis systems capturing its behavior, this is just one of the new aspects of the rebooted bot. For instance, this version has a significant backdoor functionality, as detailed by LavaSoft.
“FireEye posted details about the sleep function found in Kelihos/Hlux, which is interesting, and indeed is present in some of the samples we saw,” Deep End Research noted. “The Trojan, of course, has many more features.”
Kelihos has a storied history. The first Kelihos botnet comprised some 41,000 infected computers worldwide and was capable of generating 3.8 million spam emails every day before its takedown in 2011 in a joint effort between Kaspersky Lab and Microsoft.
The second takedown of Kelihos happened in March 2012, after Microsoft discovered “evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet.” It said at the time that Andrey Sabelnikov was the owner and operator of Kelihos – an allegation that led to a court settlement.
Taking down a botnet is only half the problem, of course. The infected computers remain infected and could be reactivated from new command servers. This instance of the Kelihos botnet is, however, a fresh infestation, Kaspersky noted, not a re-animated iteration of the older sinkholed networks.