Kelihos keeps coming back -- but it's not tough to detect, Zscaler researcher says
Despite concerted attempts to bring it down, the Kelihos botnet is alive and well and infecting devices all over the Web, according to a new report. The good news is that it's not too hard to spot.
In a blog posted Tuesday, Zscaler researcher Chris Mannon offers an analysis of the latest iterations of Kelihos, and four tip-offs that indicate its infection.
"Firstly, the use of P2P [peer to peer] style communication via SMTP [Simple Message Transfer Protocol] raised an eyebrow," Mannon says. "Secondly, we observed the overt way the botnet installs several packet capturing utilities and services. This is done so that the infection can monitor ports 21, 25, and 110 for username and password information."
Third, the botnet attempts to categorize its new victim by using legitimate services to gather intelligence, Mannon says. In one instance, "the malicious file actually queried the victim's IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos," the blog says. "These services primarily exist to notify users of abuse seen on the site or IP address. Kelihos is using it to to determine if the new victim is already seen as malicious or not.
"A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity," Mannon says. "We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes. Network administrators should take extra care in monitoring users with anomalous levels of traffic. A single node giving off so much traffic to different services in such a small window" could indicate that an end user is infected.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024