Spammer’s Arrest Puts End to Kelihos Botnet

Spammer’s Arrest Puts End to Kelihos Botnet

The alleged botmaster behind the Kelihos botnet was arrested in Spain, putting an end to a seven-year cybercrime operation that foisted hundreds of mi

Cloud, Containers, Orchestration Big Factors in BSIMM9
Adware-Ridden Apps in Google Play Infect 30 Million Android Users
GDPR Phishing Scam Targets Apple Accounts, Financial Data

The alleged botmaster behind the Kelihos botnet was arrested in Spain, putting an end to a seven-year cybercrime operation that foisted hundreds of millions of spam messages on consumers, as well as a dangerous array of banking malware and ransomware.

Pyotr Levashov, also known as Peter Severa and a handful of other aliases, was arrested on Sunday by authorities in Barcelona. The U.S. Department of Justice yesterday released a statement acknowledging international cooperation between U.S. and foreign authorities, as well as the Shadow Server Foundation and Crowdstrike, in making the arrest and seizing infrastructure used to support Kelihos and Levashov’s operations.

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.

Kelihos surfaced in 2010 after the takedown of the Storm botnet. For years, it had targeted Windows machines with nonstop spam pushing counterfeit drugs, pump-and-dump stock scams and other fraudulent schemes. It was also proficient is spreading banking malware such as Vawtrak and Kronos, and a number of different ransomware families.

The DoJ said it obtained a Rule 41 warrant to facilitate the Kelihos takedown.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”

The DoJ said it began blocking Kelihos domains on Saturday, less than 24 hours before Levashov’s arrest.

Levashov is No. 7 of Spamhaus’ list of the worst spammers, and is alleged to have been partners with American spammer Alan Ralsky.

Kelihos has survived a number of past takedowns, including a live sinkholing of thousands of bots that happened during the 2013 RSA Conference conducted by former Kaspersky Lab researcher Tillmann Werner.

The botnet resurfaced time and time again and spread malware that harvested credentials from infected computers, including usernames and passwords for online banking accounts.

The DoJ said it obtained civil and criminal court orders from the District of Alaska that granted authorities permission to redirect command and control requests from bots to servers controlled by law enforcement. They were also entitled to block any commands sent by the botmaster in attempt to regain control of his network and bots.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”

Go to Source

COMMENTS