A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20443  by unixfreaxjp
 Sat Aug 10, 2013 9:32 am
Today's we detected the kelihos infected dial-up IP all over the world in total of: 4,360 nodes.
By rapidly requesting the HLUX (domains and NS used) for A records:
Image
The HLUX seems grows very fast for non-unique monitoring..
Image
But after we sort+unique the IPs , it actually grow as per below pace of unique growth:
Image
We made four stages of this "Milking" process within one day, today and this is the result.

The overall IP data was merged and these are two options versions you can use:
1. The usual format, to get the info of your country/ISP/ASN: http://pastebin.com/raw.php?i=kArtKghi
2. The extended format with the additional reversed IP, network segments: http://pastebin.com/raw.php?i=mmuyzTuu
*) Recent samples can be grabbed from these IP, mostly are still alive now

Notes:
Analysis shows most are dial ups IP but a quite big amount of static IP also spotted in some countries, the reversed IP shows you which one are dial-up network and which are not that's why I extracted them too.
For the graphical view per country is as per below: (thank's to Chris J Wilson)
Image
For a better look:
Image
In details:
Image

These are the breakdown per AS numbers:
Image


These are the .COM domains that Kelihos scums wanted to use today, by using the below registrar info:
Code: Select all
REGISTERED VIA:
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last update of whois database: Sat, 10 Aug 2013 04:38:38 UTC 
Registration Service Provided By: DOMALAND
The current regex format of domains used by Kelihos scum is randomized of:
Code: Select all
\[a-z\]\{7\}\.COM
PoC of the registrar:
Image
The Registration DB:
Image

We initiate dismantling and blocking for them, below is the result:
Image

This is a fight of group researchers & engineers gathered in MalwareMustDie, all of the result are team work, with wonderful cooperation from abuse.ch, OpenDNS, Umbrella Labs, GroupIB, registrar involved and ICANN.
Please help to clean up your network and inform us if you spot new domains used for new infection.
Stop malware using out internet!!

On behalf of #MalwareMustDie Team
 #20453  by SmilingWolf
 Sun Aug 11, 2013 7:11 am
37 samples downloaded between yesterday and this morning.

I'm also purging the IP lists with "fping -a", will edit with a link to the list of alive IPs.

Sinkholing status (incomplete list, there are just the most recent from PDR):
Image

Samples:
hxxp://www.sendspace.com/file/jnshtz
 #20455  by unixfreaxjp
 Sun Aug 11, 2013 10:22 am
Today's Kelihos BotNet infected 1939 IP list: http://pastebin.com/raw.php?i=b9sJb5wN
We break down the data untl GeoIP for cities: http://pastebin.com/raw.php?i=4yX9Qdc7

Graph:
Image

Today's sample is: https://www.virustotal.com/en/file/04af ... /analysis/
(sample is attached)

All spotted .COM domais used by Kelihos are all sinkholed:
Image
Attachments
pwd: infected
(882.17 KiB) Downloaded 71 times
Last edited by unixfreaxjp on Sun Aug 11, 2013 3:09 pm, edited 1 time in total.
 #20458  by SmilingWolf
 Sun Aug 11, 2013 12:46 pm
Kelihos samples comes in many MD5s and sizes, here is a list of scans done for every sample of a different size:
https://www.virustotal.com/en/file/c31c ... 376223133/
https://www.virustotal.com/en/file/87fa ... 376223161/
https://www.virustotal.com/en/file/a163 ... 376223248/
https://www.virustotal.com/en/file/0f93 ... 376223280/
https://www.virustotal.com/en/file/05b1 ... 376223537/
https://www.virustotal.com/en/file/f880 ... 376223418/
https://www.virustotal.com/en/file/4a53 ... 376223445/
https://www.virustotal.com/en/file/b7d9 ... 376223468/

The detection ratio is rising luckily :D

List of alive IPs (alive because they respond to nmap scanning, some of them don't serve malware anymore luckily):
http://pastebin.com/w9f6KAux

Scanned samples in attach.

Pass is "infected", both for this archive and for the sendspace link in my previous post.
Attachments
pw: infected
(6.33 MiB) Downloaded 102 times
 #20464  by unixfreaxjp
 Mon Aug 12, 2013 3:53 am
Current sinkhole status Kelihos .COM domains released under PUBLICDOMAINREGISTRY(PDR).COM :
Image
All unblocked & listed domains are under process.
SInce these domains serve Momma Kelihos. Block these domains is good to protect your network for the botnet infection.
There are still undetected .COM out there. We are milking the internet for those.
Current infection volume in this planet: 5,835 IP, search your network here: http://www.mediafire.com/view/u9p9r6bch ... .geoip.txt
 #20467  by unixfreaxjp
 Mon Aug 12, 2013 10:17 am
Latest news on Kelihos botnet and its infection:

World map of infection plotted from infection IP:
Image
Direct link to the map: http://geocommons.com/maps/283789#

The blocking effort (SUSPENSION and SINKHOLE) status of the current known .COM a while ago...
Image

The Kelihos scums now moving to register domains in BizCN.COM:
Image
FTI, registrars used so far: INTERNET.BS, PUBLICDOMAINREGISTRATION.COM, (now) BIZCN.COM < be noted.

The latest Kelihos Botnet's IP address in details break down: http://www.mediafire.com/view/g115gol9d ... s-goip.txt
Total: 6,005 IPs

Now almost ALL domains related were suspended, BizCN.COM is in progress:
Image

#MalwareMustDie
 #20478  by unixfreaxjp
 Tue Aug 13, 2013 5:49 am
Latest sinkhole, the upper parts was very long so I cut it to the recent only.
(the data is available for KM registered users only)
Attachments
Screen Shot 2013-08-13 at 2.09.40 PM.png
Scroll the pic to the bottom...
The one with the IP address is ALIVE.
The ones with the NS.[KelihosDomain].COM without IP address is also blocked.
Others is as per seen suspended or sinkholes.
In the end the all domains will be in suspended status.

Screen Shot 2013-08-13 at 2.09.40 PM.png (69.48 KiB) Viewed 514 times
Last edited by unixfreaxjp on Tue Aug 13, 2013 5:58 am, edited 2 times in total.
 #20479  by unixfreaxjp
 Tue Aug 13, 2013 5:56 am
last kelihos (Kelihos Momma served in the botnet nodes at root dirs) fresh detection and sample (2 files)
commented for registered users only.
Attachments
password is infected, scroll
VT is between 9/xx to 8/xx today, better than yesterday (3-5/xx)
https://www.virustotal.com/en/file/2374e1676fee6f09e8fbab24ec5fb0ac0ff97ed0c26778dda97bbfe5842659e1/analysis/
https://www.virustotal.com/en/file/f2e7e778b453ac2095d97f35fc974df7deb1d8f29c1f0328cab7f6e8d9c9a7bb/analysis/1376369171/

(1.78 MiB) Downloaded 85 times
 #20488  by unixfreaxjp
 Wed Aug 14, 2013 4:57 pm
FYI, Kelihos scum is running away from .COM tld after our suppress act,
and went to .INFO, .ORG and .ME, below is the PoC:

Image
Image
Image
We will convince this moron that shifting tld is totally idiot and practically useless. We got to this bone now..

#MalwareMustDie Team.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 10