Same botnet, same guys, new code presented at Virus Bulletin 2011

by Pierre-marc Bureau (Eset),

Tags: Security


Summary : There are many factors that make the Win32/Kelihos malware family stand out. First of all, it uses a custom peer-to-peer
network protocol for command and control. Also, it shares many similarities with the Win32/Nuwar (the infamous Storm worm)
and Win32/Waledac malware families. Furthermore, the operator of this botnet frequently updates its code. This gives us an
opportunity to observe the many changes he applies to his creation over time. The first variants of Win32/Kelihos were discovered at the end of 2009 and they were, at best, in alpha stage of development.
These binaries even had full debugging messages embedded. Since then, we have seen dozens of new variants, each showing a
small step to improve the malware and its communication mechanisms. Following the evolution of Win32/Kelihos teaches us
how the malware author is modifying the malware itself and its communication protocol to improve performance, evade detection
and limit possibilities of poisoning on the network.
In this presentation, we describe the evolution of the Win32/Kelihos malware with timelines of its development phases and
operations. We elaborate on the network architecture used for the command and control servers and show how similar it is to
previous peer-to-peer botnets. Our study leads us to believe it is the same person who developed all three families of
malware. It would appear that he is still working hard at developing his skills to become even more of a nuisance.