Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, Saever
Clik here to view.
Warning: It's a "hardcore" disclosure, read only if you need & ready to know..
Background
The "suspect" a.k.a. bad actor in the below slide is responsible for malware distribution via RedKit exploit kit [-1-] [-2-] [-3-], Cookie Bomb [-1-] [-2-] [-3-] [-4-], Malicious Cushion Redirectors [-1-] [-2-], and those all linked and lead to his botnet the Kelihos (aka Khelios aka Waledac) a fast flux botnet [-1-] [-2-] [-3-]. The actor is known with alias name Petr Severa [-1-] [-2-].
When I went to Botconf in December 2013, I was spending much time in my secluded hotel room (I stayed separately than others) more than in conference, so I can focus to this important disclosure that our team was counting on me to reveal it well during the Short Talk chance that was generously and thankfully given for this matter. These are the materials that I looked over and over like hundred times, with thinking of which detail that is needed to be shared in conference, which one that has to be shared to law enforcement only, and what information that is needed to be shared to friend-researchers.
After discussion with our team mate the night before, and several discussions with the important persons, fyi: at that time the Kelihos CNC in Nederlands were successfully taken down my our friend from McAfee, Mr. Christiaan Beek, and our Germany team lead by wirehack7 together with LKA was in literally on "raid" action for the CNC machines of Kelihos CNC from its data center.. It was the crazy busy and hard time for a jet-lagged-guy from Japan who got very tired from travel via Paris airport for 7hrs (stuck in AirPort for long long lines), and slept in front door of hotel all night since the door was locked when I arrived at 11pm.. I selected the slides that was shared in-->[link] that later I rehearsed with Mr. Dhia Mahjoub of OpenDNS, the pair presenter.
Soon it will be three full years since the first time I decompiled our first Kelihos botnet Win32 binary, and 2.5 years since BotConf 2013. With all due respect to great good hard working people in many security incident response entities, internet administration and law enforcement teams, frankly speaking there's nothing has been changed much in these three years, the actor is still out there receiving his monthly affiliated "fee" and living happily with still practicing his unique modus operandi to spread the badness in the internet.
Image may be NSFW.
Clik here to view.
Figure1: Couple of Kelihos CNC dedicated machines' traffic in live monitoring in January 2016 by MalwareMustDie
We still see Kelihos is distributed along with ransomware, and we still see Cookie Bomb codes is used to spread malware & also ransomware too via compromised weak PHP panel sites. The only difference made is we have growing numbers of takedown for this threat, like 22 to 24 CNC service shutdown in Kelihos botnet, and about 8 dedicated machine supported those IPs were taken down, until now.
Slide
Among the data I starred in the hotel room, these are the overall today's shareable data collected from our operation against this botnet (excluded Dhia's OpenDNS data which was merged right before the event started), contains very important PoC or evidence as as malicious verdict to a known internet crime bandit from St. Petersburg, the "Severa". I recollect them all in this one slide with adding all re-compiled and renewed comments with more supporting facts.
Our team was patiently waiting for the justification of the crime done by known & reported identification, we reported and being very supportive to the law and order, as per supposed to be done, but the badness from the same source are still there and still active, so, as one of our member had just said "I think that full disclosure after 2.5 years is pretty reasonable.." (poke @Kira), we think the security community need to know what happened recently in Kelihos, what our team had actually achieved about it, and when/how/why/where we know the real ID of the Kelihos botherder who is actually the center of multiple cyber threat in the internet.
Here is the slide:
(the disclosure started from page 53)Please use the data with the right way. All of the evidence mentioned were found in the internet or dumps.I thank fellow MMD team mates & friends, who are proven solid in team work I've ever worked with in fighting any botnet on earth..I am very happy to work with them all, and I won't take their good team effort for granted. The credits are given to the hard work they and other supporters did, this case is a good example as team work management between good folks to fight a bad cyber crime scene.
#MalwareMustDie