Risk
8/29/2013
06:45 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Four Tips For Spotting The Kelihos Botnet Infection

Kelihos keeps coming back -- but it's not tough to detect, Zscaler researcher says

Despite concerted attempts to bring it down, the Kelihos botnet is alive and well and infecting devices all over the Web, according to a new report. The good news is that it's not too hard to spot.

In a blog posted Tuesday, Zscaler researcher Chris Mannon offers an analysis of the latest iterations of Kelihos, and four tip-offs that indicate its infection.

"Firstly, the use of P2P [peer to peer] style communication via SMTP [Simple Message Transfer Protocol] raised an eyebrow," Mannon says. "Secondly, we observed the overt way the botnet installs several packet capturing utilities and services. This is done so that the infection can monitor ports 21, 25, and 110 for username and password information."

Third, the botnet attempts to categorize its new victim by using legitimate services to gather intelligence, Mannon says. In one instance, "the malicious file actually queried the victim's IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos," the blog says. "These services primarily exist to notify users of abuse seen on the site or IP address. Kelihos is using it to to determine if the new victim is already seen as malicious or not.

"A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity," Mannon says. "We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes. Network administrators should take extra care in monitoring users with anomalous levels of traffic. A single node giving off so much traffic to different services in such a small window" could indicate that an end user is infected.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.