-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0029 Title: Kelihos Botnet is Back and Active Version history: 05.03.2012 Initial publication Summary ======= In September 2011, Microsoft announced the takedown of the Kelihos botnet [1]. In the beginning of 2012, Kaspersky found a new version of Kelihos in the wild [2]. Kelihos (also know as Hlux) is a Spambot with the capability to steal credentials from the victims computer and drop additional malware. While the old version used the second level domain cz.cc for it’s distribution and to control the botnet, the new version takes advantage of TLD .eu in combination with Fast Flux techniques [3]. More detailed analysis may be found in [3]. What can you do? ================ Following [3]: The malware itself seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks. In the first stage, the malware hits “jucheck.exe” with an incomplete HTTP request: GET /jucheck.exe HTTP/1.0 Host: etrodhy.eu This particular HTTP request is missing several HTTP fields which a normal web browser would use. The URL to "jucheck.exe" seems to be quite static, so you just have to watch out for .eu domains in combination of jucheck.exe in your gateway logs. In the second stage (where the malware tries to connect to other drones using HTTP), the malware sends 1-2KB of encrypted data to the foreign peer: GET /FCgbKbGODaYkpTghnsw.htm HTTP/1.1 Host: 79.132.177.87 Content-Length: 1464 As it is not normal to issue a HTTP GET request in combination with Content-Length header, therefore it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field “Content-Length”. What to tell your users? ======================== N/A More information ================ [1] Microsoft Neutralizes Helihos Botnet http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx?Redirected=true [2] Kaspersky: Kelihos/Hlux returns http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx?Redirected=true [3] Swiss Security Blog http://www.abuse.ch/?p=3658 Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPVMS+OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NONg//WimlPbTK OqcfCnaHYa6/nZ4LNnZDvlrsbR28mkaz3RG6ObujUETxZxE8WMuoEZLZ8KfHSU1l hytgNrQcSAa/oLR/TUkZZSJPuNLs3BfFVUjCo1nAmkxtxqEVMandWeTUR8qsLnpq 918o5ez8m49+y0oD/rNol1+LooSr3Yeu3HFHHrCX7opxDxRQbr728pFRTytgTcys j8QgoO6eDJpSNoHx4pHxCrCGKCdcbHCahZogApdEDiiL+3KxM9SkKe5AmmmNfqry f7/puYfYvD6o/DAGNM8CMcM4OBPKi5gLz6N2jIe7t1w6yCijyGfr7nteY9YLOX46 zqJIYy6BzR79pwiDzT0bKYSV9Ije6b/vZJ1ZelarYocsxEfS+3c2INnEFPlU7ilE 4aXil6lpmXOA+B1SWNtjGebUOxNDa20F8miruz5XCWejvx+PSE5FxYmJb8A+WUGl L/tlniW4+eeKHttTQgb2rCEju5IakYqNw/Sxc1VsKlVHjL7AQhv85zTLS09JPJ/K de+kCbG0fmItPxEDcL5er7DmwYuS4V0drvtqy1KrLFqrg2UobQp2yilsxwGpyLYD C5tipRo9ZGg2MIoiqzuzwLI1fxqJYwB7RZ+7wOi3LFEd5t7H6SrHuV6jltOF6evi rAFPcm4vP0Yr8U/qKq1l1X04loDDRc9gltA= =mwOL -----END PGP SIGNATURE-----