Botnets Come Out Of Hiding For Boston Bombing Spam

Kelihos, Cutwail botnets jump into action to deliver spam emails disguised as news from bombings

Dark Reading Staff, Dark Reading

April 20, 2013

2 Min Read

Spammers are harnessing two venerable botnets -- Kelihos and Cutwail -- to send out reams of deceptive emails disguised as news and video clips from the Boston Bombing, but that carry malicious payloads.

According to a blog by researchers at Trusteer, a large portion of the Boston Bombing spam emanates from Kelihos, a botnet targeted for termination by Microsoft last year and widely thought to be dead.

Kelihos has been growing slowly and is now delivering large amounts of spam again, Trusteer says. But this time, instead of stock spam, it is delivering malware.

"This code is none other than Redkit, an exploit kit that attempts to exploit vulnerabilities on your computer," Trusteer says. "If the exploit is successful, malware is downloaded onto the PC. One of these pieces of malware ... is actually a copy of the Kelihos bot itself, which when it is installed, will proceed to spam more of the same Boston-themed spam."

Researchers at Dell Secureworks confirmed that Kelihos is back in action and sending out large amounts of Boston-related spam. The Dell researchers also say some of the spam is emanating from Cutwail, a long-established botnet that has been a favorite vehicle for spam distribution.

"Computer victims who click the malicious link are directed to a page that loads several iframes," Dell Secureworks says. "The iframes perform simultaneous actions when rendered in a victim's web browser: [They] redirect the browser to a YouTube video showing the attack, [and they] redirect the browser to a Redkit Exploit Pack landing page."

After the Web browser loads the Redkit landing page, Redkit initiates a series of requests that ultimately lead to the installation of a malware "cocktail" that may include Win32/Karagany, the Pony downloader Trojan, the ZeroAccess Trojan, and/or the Waledac/Kelihos bot, Dell Secureworks says.

Both companies said they have updated their own security tools to defend against the new attacks.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights