2013-08-08

This post is dedicated to many.. so many of wonderful individuals involved with the effort to stand against Kelihos P2P malware infection. This is an example on WHAT CAN BE DONE if InfoSec are gathered to fight malware infection. This report is totally an effort of a team contains members who simply believe the same dream, to free our internet from malware. We cannot make a list of your (so many) names but we are all know who you are and what you did. Sincerely respect with thank you very much. There were many bumpy communication was initially made, for the tense and rogue communication we apology to every inconveniences. I personally am so happy to live in an era of gentlemen like you are! #MalwareMustDie!

As per you maybe noticed in the our twitter timeline, we are doing our best effort in battle with the Kelihos malware scum, yes we were haunted by this infection via RedKit Exploit Kits, TDSS, direct spam or via its botnet self-updating function itself and this "scum" still out there and feeling happy-ever-after infecting us, we just can not accept this fact.

Therefore we executed every possible effort that can be done as a bunch of volunteers of an NPO entity to suppress their growth in internet. As the efforts itself is varied from suspension, sinkhole, DNSBL block, VT/URLQuery (+etc) blacklisting, OpenDNS/GoogleDNS blocking, parallel with bunch of reports to the regional basis authorities (CERTs, GroupIB, ISPs, Registrar, ICANN, Microsoft) and to varied Sinkhole entities.

We recieved the great help and support from the people in the entities mentioned above, and also with a perfect work delegation between our team in twitter so we are able to gain a good fight and successfully resulted some good achivements within 48hours+. It is unfair to let people who help and support us by seeing only twitter as result that's why I posted our effort's report here, together with some tips and tricks used in fighting this infection in our beloved MalwareMustDie blog.

And this post is the report of the mentioned effort. Here we go..

1. Stopping the new Kelihos NS based .COM services

By the time we started this effort, Kelihos started to switch their DNS from something with ns[1-6]."\][a-z]\{7\,8\}\.".RU into the .COM tld domains with the format ns[1-6]."\][a-z]\{7\}\.".COM , we found that all of the domains was released by INTERNET.BS a well-known registrar of being abused by the cybercrime to release their infector domains. And with the great help from the very dedicated individuals mentioned above we took these domains (see below) off internet:

below is the PoC of the suspension and sinkholing result:


This is how they got into internet:

#MalwareMustDie! Bahama registrar @internetbs was proven releasing #Kelihos 12(twelve) .COMs in past 2mnth as main NS infector! #PlsHelpRT

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

The following is some of PoC and hard evidence of the .COM that Kelihos used are in the extracted INTERNET.BS released domains database-->>[PASTEBIN]

2. The dismantling effort of .RU infectors

Currently, the main basis of the Kelihos infecion are using the .RU basis ccTLD domain. It is very important to suppress their growth in their home-base also. With the great coordination and help fro GroupIB we made effort to dismantle the other "NEW" 101 .RU "weaponized domains as per listed below:

From the status of weaponized by Kelihos to infect as per recorded HLUX's A records in here:

And currently in blocking effort with OpenDNS & sinkhole the below RU domains:

Belos is the official information received from GroupIB for SUSPENSION of 100 another domains Kelihos we reported, which was swiftly followed in less than 48 hours! :-)

3. How we PoC an NS infector in commercial TLD

This is how we always PoC the new infector in the wild, we share this as a know how for everyone to help to be able to spot and report the new infection, we use our PoC for OSIKKID.COM as per below:

4. Monitoring The Actual Infection Range

As per today before the NS sinkholing on effect, with the great effort of our members we monitor the infection of the 1,287 IP address actively distributing Kelihos malware payload all over the world as per listed in our pastebin here-->>[LINK]

You can add the /rasta01.exe after the IP to get the latest Kelihos sample payload for your research purpose, as per below sample:


These infection is plotted in the good graphical interface by Chris J Wilson as per below:

Infection based per ASN:



Infection based by country:

Prologue

The effort is not stopping now.. see below:

#MalwareMustDie! The #Kelihos scums JUST register NEW domain NIGUCGU,COM <via @internetbs TODAY! #BLOCK & #Tango this pic.twitter.com/zCwiPyb8W4

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

And what a FAST action from our friends!! See the time stamp in the tweets, it is AMAZING to suspend & sinkhole malware domains THAT fast! :-)) (you guys rocks!!)

#MalwareMustDie! Thank's for helps! NIGUCGU,COM is SUSPENDED + in SINKHOLE now! Let's hear #Kelihos scum CRY harder! pic.twitter.com/KKIgkRaLav

— MalwareMustDie, NPO (@MalwareMustDie) August 8, 2013

We work hard on trying to stop this "Kelihos" legend, and the method works!
Don't ever let the Kelihos scums enter the internet! Spot & stop them instantly!
Thei weakness in ss is DNS, DO NOT let those NS getting any domain!
Let's build the procedure to SPOT, BLOCK, SUSPEND & CLEAN-UP in one flow together!
We need your help, your support. Please cooperate with us.

#MalwareMustDie!

Show more