Kelihos & Peter Severa; the "All Out" version11 Dec 2015
Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, Saever
Warning: It's a "hardcore" disclosure, read only if you need & ready to know..
The "suspect" a.k.a. bad actor in the below slide is responsible for malware distribution via RedKit exploit kit [-1-] [-2-] [-3-], Cookie Bomb [-1-] [-2-] [-3-] [-4-], Malicious Cushion Redirectors [-1-] [-2-], and those all linked and lead to his botnet the Kelihos (aka Khelios aka Waledac) a fast flux botnet [-1-] [-2-] [-3-]. The actor is known with alias name "Petr/Peter Severa" [-1-] [-2-].
When I went to Botconf in December 2013, I was spending much time in my secluded hotel room (I stayed separately than others) more than in conference, so I can focus to this important disclosure that our team was counting on me to reveal it well during the Short Talk chance that was generously and thankfully given for this matter. These are the materials that I looked over and over like hundred times, with thinking of which detail that is needed to be shared in conference, which one that has to be shared to law enforcement only, and what information that is needed to be shared to friend-researchers.
After discussion with our team mate the night before, and several discussions with the important persons, fyi: at that time the Kelihos CNC in Nederlands were successfully taken down my our friend from McAfee, Mr. Christiaan Beek, and our Germany team lead by wirehack7 together with LKA was in literally on "raid" action for the CNC machines of Kelihos CNC from its data center.. It was the crazy busy and hard time for a jet-lagged-guy from Japan who got very tired from travel via Paris airport for 7hrs (stuck in AirPort for long long lines), and slept in front door of hotel all night since the door was locked when I arrived at 11pm.. I selected the slides that was shared in-->[link] that later I rehearsed with Mr. Dhia Mahjoub of OpenDNS, the pair presenter.
Soon it will be three full years since the first time I decompiled our first Kelihos botnet Win32 binary, and 2.5 years since BotConf 2013. With all due respect to great good hard working people in many security incident response entities, internet administration and law enforcement teams, frankly speaking there's nothing has been changed much in these three years, the actor is still out there receiving his monthly affiliated "fee" and living happily with still practicing his unique modus operandi to spread the badness in the internet.
Figure1: Couple of Kelihos CNC dedicated machines' traffic in live monitoring in January 2016 by MalwareMustDie
We still see Kelihos is distributed along with ransomware, and we still see Cookie Bomb codes is used to spread malware & also ransomware too via compromised weak PHP panel sites. The only difference made is we have growing numbers of takedown for this threat, like 22 to 24 CNC service shutdown in Kelihos botnet, and about 8 dedicated machine supported those IPs were taken down, until now.
1. Slides of Kelihos crime PoC w/links to the herder
Among the data I stared in the hotel room, these are the overall today's shareable data collected from our operation against this botnet (excluded Dhia's OpenDNS data which was merged right before the event started), contains very important PoC or evidence as as malicious verdict to a known internet crime bandit from St. Petersburg, the "Severa". I recollect them all in this one slide with adding all re-compiled and renewed comments with more supporting facts.
Our team was patiently waiting for the justification of the crime done by known & reported identification, we reported and being very supportive to the law and order, as per supposed to be done, but the badness from the same source are still there and still active, so, as one of our member had just said "I think that full disclosure after 2.5 years is pretty reasonable.." (poke @Kira), we think the security community need to know what happened recently in Kelihos, what our team had actually achieved about it, and when/how/why/where we know the real ID of the Kelihos botherder who is actually the center of multiple cyber threat in the internet.
Here is the slide:
(the disclosure started from page 53)
Supporting to the evidence posted in the slides above. To delete all of possibility of doubt, this is the video of scan4you.net account used by the actor, under the same email address and under the same tracked payment account used by the herder of Kelihos, the same email address and finance account that is used to pay the bills of the Kelihos dedicated servers in several hosters used, online support management and affiliation malware payment system.
In the following video you will see the:
1. Checking scheme of domains pointed to fast flux used by Kelihos 2. Payload files and hashes of Kelihos binaries 3. How detection ratio of Kelihos binaries is monitored by the herder via API automation 4. Payment made with the regularity. 5. The herder is very limiting his access via web site/pages for his OpSec 6. Some tour about what is scan4you.net systems used by crooks.
Here is the video, with the voice explanation, enjoy this, Severa.
*) This account is still active as per I write this post
3. Severa's financial accounts w/list of overall Kelihos CNC operational servers
This section is to be added, stay tune & watch Severa started to sweat badly..
New year is coming soon...
Please use the posted data with the right way. All of the information mentioned were searchable in the internet or dumps.
I thank fellow MMD team mates & friends, who are proven solid in keeping the team work in fighting any botnet on this planet. The credits are given to the hard work they and other supporters did, this case is a good example as team work management between good folks to fight a bad cyber crime scene.
#MalwareMustDie! - Where good guys spanks bad guys..Hard core :)