Kelihos Botnet Spam Sampling

Version imprimable, PDF et e-mail

Kelihos, a botnet derived from Waledac and believed to have been written by the creators of Storm, continues to persist despite repeated takedown efforts over the last several years. While Kelihos' capabilities have been expanded to include Bitcoin mining and password theft, the generation of unsolicited email remains a core activity. This post briefly examines spam generated by the botnet during a several hour period earlier this week.

To examine the botnet's email generation activities, a Barracuda Labs honeypot was first infected with a recent Kelihos sample. During the sample's execution, outbound SMTP connection attempts were transparently redirected to a high performance spamtrap that accepted receipt of and then safely discarded the corresponding malware-generated email. A simple analysis of the resulting honeypot's network traffic revealed that approximately 150,000 messages were sent by the sample in just over 4.5 hours. These are represented by the following set of unique email subjects.

Subject: Approved medications accessible without prescription
Subject: Bong of the nation
Subject: Can you have 5 times fun?
Subject: Cut -price male enhancers
Subject: Das Problem: Ihr Paypal Sperrung
Subject: Das Problem: Ihr Paypal Uberprufung
Subject: Das Problem: Paypal Konto Uberprufung
Subject: Das Problem: Paypal Sperrung
Subject: Das Problem: Paypal Uberprufung
Subject: Do you want to amaze your loved one at night?
Subject: Do you want to have greatest nights in your life?
Subject: Do you wish to impress your partner every night?
Subject: Feel delight
Subject: Great recharging effect on male health
Subject: How to make your girlfriend happy
Subject: International company
Subject: It's a great time to try smth new
Subject: Keep her chuffed at night
Subject: Keep your woman chuffed every night
Subject: Legal drugs
Subject: Legal drugs forum
Subject: Looking forward to your response.
Subject: Lots of useful information for you.
Subject: Prospective supply.
Subject: Techniques to make your love more passionate
Subject: The best way to feel healthier
Subject: The greatest night of satisfaction is for you
Subject: This could seriously improve your love life
Subject: Very good method to recharge your loving life
Subject: Very good way to ensure your love life
Subject: We are looking for a company representative.
Subject: We need an independent agent in Japan.
Subject: We need reliable people.
Subject: You advised.
Subject: Your candidacy was suggested.
Subject: You recommended.
Subject: You very advised.
Subject: You were recommended.

Messages corresponding to the above subjects span most of the unsolicited email gamut and include the advertisement of bogus online pharmacies, job offer scams, and payment website phishing attempts. Although obviously illegitimate to most readers, the distribution of such emails continues to be a common occurrence because for a tiny fraction of recipients, they result in the generation of revenue. As past research has shown that compromised IT infrastructure must be used for these operations to be profitable to attackers, there remains strong motivation to address one aspect of the spam problem by continuing botnet takedown efforts.

Remonter en haut de page