Kelihos is dead. Long live Kelihos
(Publication) Google search: [1]
Kelihos is dead. Long live Kelihos | |
---|---|
Botnet | Kelihos |
Malware | Kelihos.A, Kelihos.B, Kelihos.C |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | Operation b79 |
Vulnerability | |
CCProtocol | P2P, DGA |
Date | 2012 / 30-03-2012 |
Editor/Conference | Damballa |
Link | http://blog.damballa.com/?p=1571 blog.damballa.com (blog.damballa.com Archive copy) |
Author | Gunter Ollmann |
Type |
Abstract
“ The King is dead. Long live the King! Or, given this week’s events, should the phrase now be “Kelihos is dead. Long live Kelihos”?
It is with a little amusement and a lot of cynicism that I’ve been watching the kerfuffle relating to the latest attempt to take down the Kelihos botnet. You may remember that a similar event (“Kelihos is dead”) occurred late last year after Microsoft and Kaspersky took it on themselves to shut down the botnet known as Kelihos (or sometimes as Waledac 2.0 or Hlux). Now, like a poor sequel to a TV docu-drama, Kaspersky and a number of other security vendors have attempted to slap down control of Kelihos Season Two – meanwhile Season Three of Kelihos has just begun to air.
In the most recent attempt to interrupt the business operations of the criminal entity behind the Kelihos botnet, a bunch of threat researchers have managed to usurp command and control (C&C) of the Kelihos.B crimeware package by poisoning the peer-to-peer (P2P) relationships between all of the infected devices and install a surrogate control server. It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually takedown the botnet.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR965, editor = {Damballa}, author = {Gunter Ollmann}, title = {Kelihos is dead. Long live Kelihos}, date = {30}, month = Mar, year = {2012}, howpublished = {\url{http://blog.damballa.com/?p=1571 blog.damballa.com}}, }