Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status
From: アドリアンヘンドリック <unixfreaxjp22 () gmail com>
Date: Fri, 3 Jan 2014 13:25:49 +0900

Following the previously posted about the Kelihos botnet current status,

The current status of Kelihos infection will be presented in Short Talk
at BotConf
2013, in Nantes, France, Dec 2013.

We did our part as per promised, and disclosed the every operation aspect
in details against this botnet including the criminal responsible behind
all acts (a Russia Federation nationality individual).
All of the verdict and data were reported officially to the Group IB in
Russia Federation for the legal case follow, we look forward to have the
finalization in 2014. And Interpol, EuroPol ECC and FBI will receive the
latest updates accordingly.

This botnet is hitting countries hard, and it's affiliation with other
malwares also growing, they are still ACTIVELY infecting via spambot
function and web driven injection (iframers CookieBomb + etc exploit
tools), please put more attention on the current status of the threat. For
the POC of the activity on infection peers feel free to access IRC
monitoring system as per shared in previous post.

Below is the report on the disclosure:
http://malwaremustdie.blogspot.jp/2013/12/short-talk-in-botconf-2013-kelihos.html

OP-Kelihos Team

Rick of MalwareMustDie / @unixfreaxjp
PGP/MIT.EDU <http://mit.edu/>: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

On Wednesday, November 13, 2013, アドリアンヘンドリック wrote:

Securelist.com (Kaspersky) released a wrong and mis-leading information
about current status of Kelihos Botnet:

http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_happened

*1) Securelist.com wrote: At the moment we're counting about 1000 unique
bots on average per month*

Below is the CnC volume infected peer botnet of Kelihos in Actual
Monitoring counter, up to today.
Even per Country's infection data stated below is exceeding 1,000...

1231  PL
1710  RO
2398  BY
4051  KZ
4615  TW
6037  IN
9823  JP
18158 RU
52825 UA

Our online monitoring shows the real fact about the volume...

*2) Because of what "they" claimed they did.. the Kelihos is smaller
now….hmm..(?)*

As per you know, the above 1) growth is still happening, even NOW we keep
on suspending, sinkholing new domains their used for spreading payload
(which it is encrypted in their job servers to CnC layer to be sent to peer
for infection upgrade) in time-to-time basis, with total now is exceeded
800+ domains from August 6th to Yesterday.
The effort of current suppressing is NOT related of the previous shutdown
which was actually successfully recovering of the botnet itself. It is
 kudos hard work of many IT security people who cares and work together in
one coordination all over the globe for this threat.
Nevertheless, even many people help and effort was achieved, Kelihos
BotNet also perform a quick recovering by just released NEW ALIVE domains
already in RegTime.NET (Russia FederationRegistrar) below, be free to
confirm the registration date of this new domains as PoC.

EJEXPOC,COM
ABGYCWU,NET
CESGUMU,ORG
QYQANYB,BIZ
GOTOREF,BIZ
TOREMOA,COM

*3) Securelist.com said "Most of the infected clients are located in
Poland"*

We al know that Ukraine, Russia Federation, Japan, India, Taiwan are the
top of infected countries from the day one they recover…
It is strongly suggest that the post in securelist.com is not confirming
the actual situation…

*4) **Securelist.com** wrote: "Victims have been disinfecting or
reinstalling their PCs over time"*

This is also a PoC that securelist.com as security maker's research
entity does not update their actual data and used the outdated and announce
it as recent…the "marketing" value is sensed under the blanket.
New infection are actually popping up with the ALIVE payload.. opposing to
the PC that was cured/fixed, each peers has more than 10+ payloads to
spread with smaller  number of payloads exists in the loader part.. well
apparently secure list.com doesn't know this too.

*Additional:*

*For your information.*

Our group, MalwareMustDie, NPO is obligated to conduct the contra-posting
"the statement" posted with this real fact about what is really happen in
Kelihos botnet since "the statement" is mis-leading the entities that are
currently making hard effort in cleaning up the infection peer by peer all
over the planet.

The current status of Kelihos infection will be presented in Short Talk at
BotConf 2013, in Nantes, France, Dec 2013.

 We are in purpose NOT posting / exposing any activities of this operation
beforehand in any web format since the intelligence and hard work of law
enforcement process in Europe and Russia Federation for its on going
process to stop this threat for good.

If security entity starting to state the wrong and misleading information,
which is based not to the current and actual fact, then it is time for all
of us to  correct every mistakes made with the true counter statement like
this.

On behalf of the good engineers that gather in OP-Kelihos to suppress the
botnet in daily basis, bind to the promise to keep silent about the OP, we
are informing this mistake by this full disclosure announcement.

These are the Video contains information of infection in monitoring that
can reveal the evidence of infection volume, and you can see on how hard
huge the infection is actually happen now as per listed in the youtube
video link below:
Kelihos Regional Infection (per country's) Online Monitor via Web<http://www.youtube.com/watch?v=-LNJsbYK6K8>

How to View & Download the Archive of Kelihos Infection Monitoring Channel<http://www.youtube.com/watch?v=9uNcT9DwsYw>

Kelihos Volume Monitoring Applet - Country base monitoring panel<http://www.youtube.com/watch?v=4r2FKMiXhwk>


OP-Kelihos Team

Rick of MalwareMustDie / @unixfreaxjp
PGP/MIT.EDU: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie



-- 
Hendrik Adrian / @unixfreaxjp
PGP/MIT: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91


MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Re: Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status アドリアンヘンドリック (Jan 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]