TheKelihos botnet, also known asHlux, is abotnet mainly involved inspamming and the theft ofbitcoins.[1]
The Kelihos botnet was first discovered aroundDecember 2010.[2] Researchers originally suspected having found a new version of either theStorm orWaledac botnet, due to similarities in themodus operandi andsource code of the bot,[3][4] but analysis of the botnet showed it was instead a new, 45,000-infected-computer-strong botnet that was capable of sending an estimated4 billion spam messages a day.[5][6] InSeptember 2011,[7]Microsoft took down the botnet in an operation codenamed "Operation b79".[5][8] At the same time, Microsoft filed civil charges against Dominique Alexander Piatti, dotFREE Group SRO and 22John Doe defendants for suspected involvement in the botnet for issuing 3,700subdomains that were used by the botnet.[8][9] These charges were later dropped when Microsoft determined that the named defendants did not intentionally aid the botnet controllers.[10][11]
In January 2012, a new version of the botnet was discovered, one sometimes referred to as Kelihos.b or Version 2,[1][6][7] consisting of an estimated 110,000 infected computers.[1][12] During this same month Microsoft pressed charges against Russian citizen Andrey Sabelnikov, a former IT security professional, for being the alleged creator of the Kelihos Botnetsourcecode.[11][13][14] The second version of the botnet itself was shut down inMarch 2012 by several privately owned firms bysinkholing it – a technique which gave the companies control over the botnet while cutting off the original controllers.[2][15]
Following the shutdown of the second version of the botnet, a new version surfaced as early as April 2nd, though there is some disagreement between research groups whether the botnet is simply the remnants of the disabled Version 2 botnet, or a new version altogether.[16][17] This version of the botnet currently consists of an estimated 70,000 infected computers. The Kelihos.c version mostly infects computers through Facebook by sending users of the website malicious download links. Once clicked, aTrojan horse named Fifesoc is downloaded, which turns the computer into azombie, which is part of the botnet.[18]
On 24 November 2015 a Kelihos botnet event occurred causing widespread false positives of blacklisted IPs:
″November 24, 2015 Widespread false positives
Earlier today, a very large scale Kelihos botnet event occurred - by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn't an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions in "U.S. Federal Wire and ACH online payments." Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza orDridex malware.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.″[19]
An affidavit unsealed on 5 February 2018, showedApple's unexpected role in bringing the Russian spam king to justice.Peter Levashov allegedly ran the Kelihos botnet under the alias "Severa", renting out access to spammers and other cybercriminals. But despite Levashov's significant efforts at anonymity, court records show that federal agents had been surveilling hisiCloud account since 20 May 2016, funneling back crucial information that may have led to his arrest. The standing federal iCloud warrant would have given authorities a running tab ofIP addresses used to log in to the account, which could easily have tipped them off to his vacation inBarcelona, Spain, and was arrested at the request of US law enforcement and extradited to the United States for prosecution.[20]
The Kelihos botnet is a so-calledpeer-to-peer botnet, where individual botnet nodes are capable of acting as command-and-control servers for the entire botnet. In traditional non-peer-to-peer botnets, all the nodes receive their instructions and "work" from a limited set of servers – if these servers are removed or taken down, the botnet will no longer receive instructions and will therefore effectively shut down.[21] Peer-to-peer botnets seek to mitigate that risk by allowing every peer to send instructions to the entire botnet, thus making it more difficult to shut down.[2]
The first version of the botnet was mainly involved indenial-of-service attacks andemail spam, while version two of the botnet added the ability to stealBitcoin wallets, as well as a program used tomine bitcoins itself.[2][22] Its spam capacity allows the botnet to spread itself by sendingmalware links to users in order to infect them with a Trojan horse, though later versions mostly propagate over social network sites, in particular through Facebook.[16][23] A more comprehensive list of the Kelihos spam can be found in the following research paper.[24]
On 2 February 2018, theUnited States Department of Justice announced that a Russian national has been extradited fromSpain and will be arraigned inConnecticut on charges stemming from his alleged operation of the Kelihos botnet.Peter Yuryevich Levashov, 37, also known as Pyotr Levashov,[25] Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, was detained on 7 April 2017 inBarcelona, when he was arrested by Spanish authorities based upon a criminal complaint and arrest warrant issued in the United States District of Connecticut.[26] On 3 February 2018, he pleaded not guilty to the charges ofwire and email fraud,hacking,identity theft andconspiracy after appearing before a federal judge in the U.S. state ofConnecticut. He remains in detention.[25] In September 2018, Levashov pleaded guilty.[27]