US disrupts giant botnet used for spam and ransomware

Department of Justice targets network it says is responsible for spam emails, distributing ransomware and malware.
Written by Danny Palmer, Senior Writer

US authorities have been targeting the Kelihos botnet.

Image: iStock

US authorities are working to take down one of the world's largest botnets, which controls tens of thousands of infected computers and sends hundreds of millions of spam emails that distribute ransomware and malware across the globe.

Working alongside the FBI and security company Crowdstrike, the US Department of Justice has started blocking domains associated with the Kelihos botnet, one of the most prolific networks of hacker-controlled computer systems in the world.

The network of infected Windows machines has been known to send spam emails, distribute ransomware and malware, harvest usernames and passwords and engage in Bitcoin theft and spamming.

It even uses peer-to-peer communications to allow each individual node to act as its own command-and-control server and its malicious activity is thought to have affected five percent of all organisations across the globe.

Like other botnets, Kelihos is designed to remain undetected on the infected victim's computer, enabling it to secretly receive instructions for malicious activities and send data back to its operators.

In order to aid in the disruption and dismantling of the botnet, US authorities obtained court orders from the US District of Alaska, granting them permission to redirect traffic from Kelihos-infected computers onto a substitute server run by the FBI, and record the IP addresses the machines attempt to connect to.

Ultimately, this will allow the authorities to identify Kelihos victims and aid them with removing the malware from their machine, as well as blocking and disrupting attempts to infect others. The US government is also working with antivirus vendors and IT security companies in order to provide the latest patches for protecting against and removing Kelihos infections.

"Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics," said acting assistant attorney general Kenneth A Blanco of the Justice Department's criminal division.

"The Department of Justice is committed to combatting cybercrime, no matter the size or sophistication of the scheme, and to punish those who are engaged in such crimes."

The Justice Department claims that Russian citizen Peter Yuryevich Levashov has operated the botnet since 2010. Levashov allegedly used the information gained from this credential-harvesting operation to further his illegal spamming operation which he advertised on various online criminal forums. He was arrested in Spain earlier this week.

"This case demonstrates the FBI's commitment to finding and eradicating cyber threats no matter where they are in the world," said FBI special agent in charge Marlin Ritzman.

However, while one of the most prolific networks of zombie machines, Kelihos represents just one of many botnets out there infected millions of systems, such as The Necurs botnet, which recently came back to life following a mysterious absence.

Security experts have also warned that the growing number of Internet of Things devices -- many of which are shipped with flaws that make them vulnerable to remote takeover -- will only make botnet attacks more frequent and damaging in future.


Editorial standards