February 16, 2012

Long life to Kelihos!


During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response  where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.

We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80:


We detected encrypted traffic between the "infected" host and the IP addresses shown above. The server contacted by the bot answers with another encrypted network stream. Before the bot starts to generate spam, it contacts another IP address, this time with an HTTP GET request, as shown in the following screen shot:


In this screen shot, we see that the "User-Agent" header string specifies a dodgy user agent, and that the traffic between the URL requested by the bot and the contacted server seems to be encrypted. Our investigation found that the last stream received by the bot is the configuration information that permits it to begin generating spam. This information includes the targeted countries, a list of recipients, a template for the email body, and a list of MX records needed to start the campaign.

From the statistic analysis of this binary (MD5 021EC96775A37AE92680C076295D5991), we can confirm that the new generation of Kelihos uses an encryption mechanism based on Blowfish. Using some of our tools of the trade, we reversed the binary and detected evidence of a statically linked instance of the cryptographic open source library called Crypto++. Further investigation using a tool called PEiD provided the needed confirmation of this: 


This knowledge permitted us to start a more detailed investigation using a reverse engineering process. After we observed that the first IP address contacted by the bot was changed using a non-apparent criterion, we started to understand where that IP address was retrieved. We were unable to retrieve anything from a memory dump during the bot's runtime. However, a review of the memory contents revealed that some "hard coded" information in the bot was protected by a sort of in-memory mechanism based on encoding and encryption. In other words, the vital parameters that allow this bot to exist were not easily detectable because they were located in an area of the code where custom obfuscation was applied. When we looked for some IP addresses in memory, we detected the code routine used to decrypt the IP addresses (probably all compromised hosts). What follow is a dump snippet from the memory after the decryption routine: 


The above screen shot shows the area of the bot's memory after the decryption routine extracts the first IP address to contact. The bot then starts the network conversation that we showed in the network traffic screen shot at the beginning of this blog. We found a total of 499 IP addresses in the bot's memory. Extracting this list from the bot, we can (thanks to Google Maps) represent graphically how widespread the Kelihos command and control and peers infrastructure is. The following illustration shows the geographical distribution of just 100 of those IP addresses chosen randomly from the list. Given the numerous locations shown, you can see how well this botnet is protected:


When we extracted the country code from the IP addresses, we generated the following graph, which shows the 20 countries that are home to most of the Kelihos command and control and peers systems:


More investigation of Kelihos spam activity revealed that this botnet is involved in several malicious campaigns, including the following phishing attempt:


Our Websense ThreatSeeker® network can detect this spam activity and block the communication between the Kelihos bot and its command and control and peers structure. The following screen shot shows how a Websense customer is protected against the phishing attempt shown in the mail above:


During our investigation, we also detected and trapped the following email messages generated by the Kelihos bot. We can see from this list that the campaign is targeted primarily for European and USA email addresses: 


We could say much more about the Kelihos botnet. For example, the code seems to be derived and recycled from or other malicious code close to Waledac variants. We have detected some evidence of Infostealer activities targeting well-known FTP clients, the presence of a routine that acts like a Bitcoin wallet stealer, and a list of suspicious User Agents used by the bot to contact its command and control and other peers machines. Anyway, the most important thing derived from this analysis is that we have retrieved the entire list of the command and control systems.


Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.