Monday, December 21, 2015

MMD-0046-2015 - Kelihos 10 nodes CNC on NJIIX, New Jersey USA, with a known russian crook who rented them

Global variable declaration to read correctly


int main(void) {
 char * email = "XXXXX\(censored\)\ data";


Note2: Considering: The attack of Kelihos botnet to my country and several countries is still un-stoppable and on-going, Yet I was told to censored Kelihos investgation on 2013 without getting good follow up from law enforcement in this planet, no matter how hard we tried and providing evidences in each badness they made. And this post, also was asked to be on censor AGAIN, and right now we also did not see the stopping result either. Concluded: It is time for the people as victims of this evilness to know the truth. I opened all censorship from its seal[link].

THIS is the one of many badness evidence conducted by Kelihos botherder: Peter Severa with his real ID and address we reported and is known by law enforcement (PS: it is NOT the ID that Brian Krebs announced). Use it by your own will. If the action of this borherder will continue, we will keep on disclosing further and further. God gave us strength to put right thing to the right place - @unixfreaxjp - Sat Feb 6 12:58:38 JST 2016

Note: This is the modified post of the original post, sensitive data were censored for the "security reason". Please read "between the lines". I am sorry and thank you. - God bless them who read the codes - @unixfreaxjp Tue Dec 22 16:56:01 JST 2015

Most of fellow malware and botnet researchers in security communities know the term of "kelihos botnet". Many of us find it interesting to be studied. The botnet exists for a long time until now, and surviving many take down and disruption efforts, yet it is still in operation until now [link].

MalwareMustDie group has a "Kelihos Operation" in a small dedicated unit to research this threat and we tried to be responsible in disclosing the botnet malicious distribution scheme and its payloads in 2013, and we presented the talk about it at the BotConf in 2013 [link]. The team was following the threat ever since by tireless efforts to report and try to support regional jurisdiction to stop the botnet's further malicious activity. And believe me, MalwareMustDie is aiming a way further than just a whack-a-mole actions that some industries and researchers think we were, the disclosure that we had on the case, and this post is a proof of our hard work for it.

Even physical action(s) was conducted by law (with hat tips of the great work of GroupIB friends [link]) for the effort to end this "legacy" for good, the herder who is a notorious cyber criminal [link][link][link] knows how to bent the law, and is back on operation, with some improvement in the botnet itself.

In the Q3 and Q4 in this year there are strong distribution [link] of Kelihos binaries from several "major" Exploit Kits [link], implying the effort of the herder to expand the botnet. And following that time frame several botnet malicious campaigns were also started to be detected under a very short infection uptime and was carefully planned in aiming specific regional target on a specific operating system platform. Afterward, just recently. there are events of "disruption activities" was occurred in the botnet, which has boosted the botnet's access revocation, technical changes, updates on versions and security improvements to be better than before ( domains, encryption, payloads, name servers & http services etc) without really reducing its P2P peers activity significantly, hence the botnet is still on operation but not as "greedy" like we've seen it before in 2012 and 2013.

The recent development is urging me on behalf of operation unit in our Kelihos team, to disclose as "responsible" as possible several new updates in information that maybe can be used and linked by law enforcement effort to build a new cyber criminal case for this well known bot herder.

We thanked gentlemen/ladies for the hard work they shared together in effort to stop the threat (this credit list is not only MMD members but contributors are included)

@VriesHd @Malwageddon @Set_Abominae @DhiaLite @malm0u53 @Xylit0l@ConradLongmore @keyleyang001 @s4n7h0 @essachin 
@sempersecurus @JC_SoCal @ChristiaanBeek @unixfreaxjp @lvdeijk @wirehack7 @wopot @kafeine
These are the people who stick together still and contribute very hard effort of the case with the separate specialties. I myself is in charge for the CNC & infrastructure investigation for the threat, and this writing is mostly based on that specific territory, so I tried to write it without revealing much OpSec of my other team mats in various section. So, the post will not reveal all details of operational aspect, since there are many more "bigger deal" that has to be kept close for the further investigation. You can feel free to contact us via twitter DM if somehow I may can assist you more on the issue.

Kelihos FUD (Fully UnDetected) check scheme

Generally speaking: As this botnet concept is peer to peer, it uses encrypted communication one-to-one basis that redundantly connected to the targeted/instructed peers specified from the central command. The central pushes commands to the infected peers by working in rings of encryption layers, which is varied in encryption to each level, and the peers in each group can reply a pong in generic protocol in "a state" that can be notified by the highest central. This is a way of the botnet can be "steered" to aim specific territory like this example [link] and to launch a specific spam and/or traffic redirection campaigns (the example is in the next paragraph), or to avoid several networks, or "activated / deactivated" activities on some region. In this paragraph I am in purpose omitting various function details that the botnet has (dns/http/blacklist/p2p crypt/spam modules/etc etc).

As peering-functionality is important to the kelihos botnet. the herder is using a known FUD checking service to make sure the main botnet nodes is free from detection, with checking security industry's mitigation/protection signatures [link], by rapidly monitoring detection ratio of the: (1) Binary payloads, (2) IP addresses of Kelihos job server's and main communication peers, (3) and CNC hosts, (4) the web html pages contains javascript, installed in peers that is distributed for supporting several malicious operations (i.e.: click fraud, redirectors, malware infection, spam sites, etc). The herder never keeps the detection ratio high and only picking several important nodes in the botnet to have the lowest detection ratio as possible, and also trying very hard to keep the job servers and CNC of Kelihos to have detection score to be close to zero.

Kelihos is a botnet as service which is having its own function to spread its threat activity, mainly by spam email from its original spam module, which are controlled directly by the herder to aim to specific region(s) or by redirection scheme. Several scheme of recent distribution spotted in this functionality is as per following illustrations: [pump-and-dump] [malicious JS redirector] [URL link basis] [script spam] [pay per click] [regional targeted spam] etc (malware related spam can not be disclosed in here).

To be noted: There are top central operation servers which the herder operated separately and unlisted to the checks. Thus,the botnet is never involving CNC layer or upper layer directly to the distributional layer of the payload, but passing the "delivery" to the infected proxy peers (read: DHCP/ADSL infected PC connected to the internet behind the routers) which makes harder to proof its maliciousness, even though these upper layers nodes are having a very important role in steer malicious activity in the infected peers.

The checking scheme of the botnet peers is where actually the vector we used to dig up the connection to the source of the threat, so I will not have to disclose the domains, payloads, encryption, campaigns or other opsec related work details.

The Kelihos CNC in AS19318(US) at YYYYY(censored)

Inside of the category of (3) stated in above section, it was spotted CNC IP listed as per checked in a scheme below:

These are the IP registered to these two dedicated hosts: and as per checked below, physically located in New Jersey, United States.

{ "ip": "",
  "hostname": "",
  "ip": "",
  "hostname": "",
  "city": "Secaucus",
  "region": "New Jersey",
  "country": "US",
  "loc": "40.7895,-74.0565",
  "postal": "07094" }
The data above in form of textual per prefix/routes networking used:||19318 | | (censored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc||19318 | | (cencored) | US | | Interserver Inc

The checks are so important for these IPs on its two hosts, that the herder is running it in frequency of average 16 times per hour, in hourly basis, for each host, by using the remote API provided by the FUD check service for the purpose. As evidence I snipped a small portion as below:

To proof the solidity of the data presented, this original picture shows many authentic details:

Since the front end has payment records captured, it's not that difficult to know that the herder want to keep on doing this at least until the early of this December 2015 [link]

I think up to this point we are all agreed about the US basis 10(ten) IP addresses above are specifically checked by the kelihos herder for its FUD purpose, together with executable binaries of the botnet, the script saved in HTML files in the peers and other minor matters.
But then questions raised up: Who owns those IPs? How can Kelihos botnet herder get the US IP addresses from the first place? Is HE the same person as we announced in 2013?
The next section will be the disclosure of all the questions above plus the ownership information.

The herder data dug from these 10 IP

Before I went to BotConf in 2013, we (MalwareMustDie operations in Germany and Netherland) launched effort [link] [link] and we "paralized" their payload scheme↓ too -

..and we stop the payload of Kelihos for some days, and with the help from good fellows from McAfee and LeaseWeb together we took down dedicated servers that was used to run as Kelihos mother ships (You will see some video about that in 2013's link above). It was taking down Kelihos like 5 days without payloads, and successfully PoC some evidence of the botnet with disrupting the herder at the same time.

It won't take long for the herder to quickly revive the botnet. And that was the time when the 10 IP described above was born. During the reviving period the bot herder was renting two dedicated servers from " (owner of" via QQQQQQ(cencored) service, and there is an evidence of payment request from the service to the herder and it looks like this:

If you are making an account of any hoster service, for them to contact you it will be needed the XXXXX(censored) data of yours. Apparently the XXXXX(censored) data used for contact communication in arranging these servers is matched to the XXXXX(censored) data registered as contact information in the FUD check system described above [link] that is connected to his main CNC for binary checking.

Well, okay, what is the proof that the 10 IP addresses are owned by a person who is using XXXXX(censored) data too?
Let's see the explanation below...

Under a good legit cooperation the picture of the herder's rented dedicated server details in the XXXX(cencored) account can be achieved, in this "service" the billing history, the invoices shown in the last two transaction of renting servers are the first initiation payment done by the herder, as per seen in the previous data, see the invoice number and the contents which will be matched to what the payment request document also stated.

The two dedicated servers are keeping on renewal until at the time I wrote this post, one would find this evidence in the recent details like below in the system:

And these 10 IP addresses are the IP addresses of what two hosts are serving. Even though hoster's secure system need to hover mouse/pointer to see these details, one can make the screenshot as per below to managed captured data as proof, ..aaaand W000T! W000T! these two hosts are the ones responsible to the 10 IP addresses in United states that was used by kelihos herder, under the same XXXXX(censored) contact account, which is obviously belong to the kelihos botnet herder.

As per every online basis system, the profile setting part is exists, and beyond any doubt one can see the same XXXXX(censored) data is used, while accessing that part :-)

Who's is this herder? Not the same guy?

It is proven by this vector too that the herder is having the same ID that we, MalwareMustDie, presented in BotConf in 2013, unless you can say that this bot herder is sharing the XXXXX(censored) data that is used to arrange dedicated servers of more than 15 IPs of CNC..and to check the FUD of the malware payload+IP a common good public citizen that is "innocently" use the same XXXXX(censored) dara, without being worry this "innocent man" will go to police to report all of the herder's crime.

And we thank you to the Shell Club Smart Russia database to help us in pointing the correct identification and location via (XXXXX/censored) data of the person who is responsible of Kelihos malicious services like: malicious redirect, clickfraud, spams and malware infections behind the botnet. From this point it's the law enforcement matter to conduct the cyber crime investigation further.

The VERY important P2P peers IP, job servers IP and CNC IP of Kelihos

This is actually the most important part. Below is the list of the Kelihos upper infrastructure layer. I will not openly explain which IP is doing what. But for the safeness of our internet we suggest you strongly to neutralize the listed hosts and block them during the process. The 10 IP addresses listed above is included in the list. The list is sorted one since 2013 until today. An IOC to share the list to each entities would be nice follow for this post. And if you need to have the historical basis data please contact us, with sending message in the comment as usual with stated yourself+entity email address. PS: There are many data can be shared to law enforcement only.||13188 | | BANKINFORM | UA | | Content Delivery Network Ltd||3462 | | HINET | TW | | Data Communication Business Group||45773 | | HECPERN-AS | PK | | Pern-Pakistan Education & Research Network is an||17676 | | GIGAINFRA | JP | | Japan Nation-Wide Network Of SoftBank BB Corp.||45025 | | EDN | UA | | Online Technologies LTD||13188 | | BANKINFORM | UA | | Content Delivery Network Ltd||4766 | | KIXS-AS | KR | | Korea Telecom||48031 | | XSERVER-IP-NETWORK | UA | | PE Ivanov Vitaliy Sergeevich||48031 | | XSERVER-IP-NETWORK | UA | | PE Ivanov Vitaliy Sergeevich||48031 | | XSERVER-IP-NETWORK | UA | | PE Ivanov Vitaliy Sergeevich|cable-korisnici-Lukavac-|57397 | | BHB-CABLE-TV-BIH | AT | | JM-DATA GmbH||16010 | | CAUCASUSONLINEAS | GE | | Caucasus Online Ltd.||16010 | | CAUCASUSONLINEAS | GE | | Caucasus Online Ltd.||15895 | | KSNET | UA | | Kyivstar PJSC||15895 | | KSNET | UA | | Kyivstar PJSC||15895 | | KSNET | UA | | Kyivstar PJSC||29107 | | SYNAPSE | UA | | Open JSC Stock Company Sater||3816 | | COLOMBIA | CO | - | Rapidotolima||6535 | | Telmex | CL | | Telmex Chile S.A HFC||31252 | | STARNET | MD | | StarNet S.R.L||2860 | | NOS_COMUNICACOES | PT | | Nos Comunicacoes S.A.||48031 | | XSERVER-IP-NETWORK | UA | | PE Ivanov Vitaliy Sergeevich||58146 | | SVOD | RU | - | Svod ltd.||58146 | | SVOD | RU | - | Svod ltd.||58146 | | SVOD | RU | - | Svod ltd.||21261 | | STELS | UA | | Stels ISP Ltd||48964 | | ENTERRA | UA | | Datasfera LTD||196638 | | PROMTELECOM | UA | | OJSC Promtelecom||8452 | | TE | EG | | TE Data||14117 | | Telefonica | CL | | Telefonica del Sur S.A.||28015 | | MERCO | AR | | Merco Comunicaciones||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||9617 | | ZAQ | JP | | J:COM West Co. Ltd.||25133 | | MCLAUT | UA | | LLC Mclaut-Invest||44924 | | MAINSTREAM | UA | | PP MainStream||9378 | | CABLENET | JP | | Jcom Kawaguchitoda Co. Ltd.||41871 | | RTL | UA | | Locom LLC||50673 | | SERVERIUS | NL | | 3nt solutions LLP||50673 | | SERVERIUS | NL | | 3nt solutions LLP||50673 | | SERVERIUS | NL | | 3nt solutions LLP||15895 | | KSNET | UA | | Kyivstar PJSC||15895 | | KSNET | UA | | Golden Telecom||6712 | | FORMAT-TV | UA | | Maxnet Telecom Ltd||31148 | | FREENET | UA | | Freenet Ltd.||51784 | | X-CITY | UA | | X-City Ltd.||43554 | | CDS | UA | | Cifrovye Dispetcherskie Sistemy||28751 | | CAUCASUS-NET | GE | | Caucasus Online Ltd.||15895 | | KSNET | UA | | Kyivstar PJSC||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||19318 | | XXXX(cencored) | US | | Interserver Inc||42396 | | PPLNETUA | UA | | PJSC Telesystems of Ukraine||35680 | | LINIATEL | UA | | Kyivski Telekomunikatsiyni Merezhi LLC||25229 | | VOLIA | UA | | Kyivski Telekomunikatsiyni Merezhi LLC||25229 | | VOLIA | UA | | Kyivski Telekomunikatsiyni Merezhi LLC||8708 | | RCS | RO | | RCS & RDS Business||6830 | | LGI | AT | | UPC Romania CLUJ-NAPOCA||34092 | | TVCOM | UA | | TVCOM Ltd.||8926 | | MOLDTELECOM | MD | | Societatea pe Actiuni Moldtelecom||35421 | | PANELECTRO | RO | | SC Pan Electro SRL||28751 | | CAUCASUS-NET | GE | | Caucasus Online Ltd.||48331 | | GLOBNET | RO | | S.C. Globnet S.R.L.||41232 | | SSN | UA | | TOV Flagman Telecom||31148 | | FREENET | UA | | Freenet Ltd.||8402 | | CORBINA | RU | | Beeline Broadband||31252 | | STARNET | MD | | StarNet S.R.L
The snip of recent checked important IP addresses (in historical):

Follow up

With the good help from friends in EmergingThreat, the herder can kiss his botnet CNC traffic to its peers a goodbye from now on.


This post is as a new additional "sin" for ↓this cyber crook↓ against our internet services.
Only a stupid fool like ↑this herder makes same mistakes over and over.

If you want to see a solid proof that what so called "Petr Severa" is the herder of Kelihos botnet, please watch the slides and video for our BotConf presentation in 2013 posted in BotConf Website [link].

The botherder closed the CNC 2 dedicated servers with its 10 IP addresses in USA that we disclosed in this post - #MalwareMustDie *SMACKED* Severa (again!)

If you have doubt of any truth stated in this post, see yourself the reaction of the botherder after we released this disclosure, the botherder had closed the account of the dedicated servers mentioned in this post (it was much more viewable before the censorship request received) in December 2015 after the original post was published online. Some PoC of this paragraph is the information below:

This herder is a Russian national, a known cyber crime actor resides in Russia Federation's St. Petersburg, and he is still out there lurking all of us with his botnet which is actively malvertised its initial infection for expansion purpose via a known Exploit Kit, and affiliated in several malware campaign distribution until today. We, reported his positive real identification and evidence of his crime records since 2013, and he is still out there "untouchable by law", controlling his botnet and making illegal money from it. From now on, in every new years to come, if he is still operated freely, we will disclose deeper and deeper details of the actor's threat + infrastructure he has, and we won't stop until he stopped or be stopped. It's a promise.

For people who says we are vigilante, we're not the bad guys, he is. We're asking for a crime to be stopped, by law we believed in. Until the law is preserved against this asshole, we will keep on disturbing him.


* * * Psalm 139 - God Knows Everything * * *

139 Lord, you have examined me
    and know all about me.
You know when I sit down and when I get up.
    You know my thoughts before I think them.
You know where I go and where I lie down.
    You know everything I do.
Lord, even before I say a word,
    you already know it.
You are all around me in front and in back
    and have put your hand on me.
Your knowledge is amazing to me;
    it is more than I can understand.
Where can I go to get away from your Spirit?
    Where can I run from you?
If I go up to the heavens, you are there.
    If I lie down in the grave, you are there.
If I rise with the sun in the east
    and settle in the west beyond the sea,
even there you would guide me.
    With your right hand you would hold me.
I could say, “The darkness will hide me.
    Let the light around me turn into night.”
But even the darkness is not dark to you.
    The night is as light as the day;
    darkness and light are the same to you.
You made my whole being;
    you formed me in my mother’s body.
I praise you because you made me in an amazing and wonderful way.
    What you have done is wonderful.
    I know this very well.
You saw my bones being formed
    as I took shape in my mother’s body.
When I was put together there,
you saw my body as it was formed.
All the days planned for me
    were written in your book
    before I was one day old.
God, your thoughts are precious to me.
    They are so many!
If I could count them,
    they would be more than all the grains of sand.
When I wake up,
    I am still with you.
God, I wish you would kill the wicked!
    Get away from me, you murderers!
They say evil things about you.
    Your enemies use your name thoughtlessly.
Lord, I hate those who hate you;
    I hate those who rise up against you.
I feel only hate for them;
    they are my enemies.
God, examine me and know my heart;
    test me and know my anxious thoughts.
See if there is any bad thing in me.
    Lead me on the road to everlasting life.