Kelihos Botnet Gains Strength Again

by alexander.adamov on February 28th, 2013 in Malware Descriptions, Security Alert.

Part 1. Kelihos Loader

Part 2. Kelihos Backdoor

Part 3. Spam-Bot

Part 4. Password Stealer


We recently discovered high Kelihos botnet activity despite Microsoft's and Kaspersky's announcing its shutdown in September 2011 and March 2012.

A detailed description of a previous version of the backdoor can be found in Lavasoft's Malware Encyclopedia.

In this publication we would like to update this information and provide more details about the network activity and infection process of the latest versions of Kelihos.

Part 1. Kelihos Loader

Kelihos consists of two parts; a loader and a backdoor. The loader downloads a backdoor file onto the compromised system. It has quite simple implementation and is detected by many antiviruses (MD5: 42032e91596b619d5683e39afc7a4c2a):

The binary is packed with the Mystic Compressor in an effort to avoid detection.

The downloading function can be easily found in the code:

The loader uses a 10 minute timeout between downloads if the first attempt fails.

The main purpose of this process is to download and execute the backdoor on the victim’s computer:

That URL is constructed with a randomly named domain and file name chosen from the set specified below.

http://{random a-z characters}.ru/{ keybex3, rasta01, newbos2, angrim2, calc, moon002, nothing, instcod, firsale}.exe

Recently registered Kelihos domains that were active in Jan-Feb 2013:


All domains have pretty similar registration information: “REGGI-REG-RIPN” with a lifetime of one year. This registrar featured in our recent article Detecting Malicious URLs - Part 3. Suspicious Registrars

Fast-flux domains are still used by the botnet. To prevent DNS record caching, the TTL value is set to zero. That means on every request a DNS server replies with a new IP address obtained from a dynamic pool of Kelihos proxy-bots.

We counted 6244 Kelihos proxy-bots in 82 countries in the fast-flux network during several days.

Part 2. Kelihos Backdoor

The code of the backdoor (MD5: 64dd5503fc9cd455f1c8a544d0bc9015) is encrypted

and obfuscated making it hard for AV scanners to analyze and detect .

For example, the names of API calls and DLL modules are encrypted and distributed in memory. They are reconstructed on-the-fly in the stack when loading.

To call internal functions a special address table is used.
Upon execution, the backdoor sets its attributes to hidden, read-only, system and archive.

The file contains the following WinPcap modules in its body to help track network activity: npf.sys, winpcap.dll, packet.dll.

While running, the backdoor process creates threads and sends UDP and TCP requests to port 80 of peer computers within the botnet.

The encrypted traffic between bots:

The initial list of IPs is encrypted in the binary. At the time of writing, we found 225 live peers among 500 stored in the backdoor’s body which can operate as C&C proxy.

Once a connection has been established, the backdoor downloads instructions from C&C through one of the peer proxy-bots. It sends an HTTP GET request for one of the following html files:

http://{C&C_proxy_IP_address}/{setup, online, login, welcome, main, search, start, file, index, default, file, home, install}.html

The communication with the server is encrypted and packed with Zlib. You can find more information about the encryption technology in Kaspersky Lab’s blog.
The server’s response contains commands from C&C. However, sometimes the backdoor receives AV blocking messages like the one below received from a protected computer located in Kharkov, Ukraine:

Part 3. Spam-bot

In our case the backdoor received a command to operate as a spam-bot. The information may contain the following emails and content.
“From” field of a spam is constructed as follows:

From: {Name} {Surname} {name@domain}

Sender names:

Abel, Abraham, Ada, Adalbert, Adam, Adrian, Agatha, Agnes, Alan, Albert, Alec, Alexander, Alfred, Algernon, Alice, Allan, Aloys, Amabel, Ambrose, Amelia, Amy, Andrew, Andromache, Andy, Angelica, Angelina, Ann, Anna, Annabel, Annie, Anthony, Antoinette , Antony, Anthony, Arabella, Archibald, Archie, Arnold, Arthur, Aubrey, August, Augustus, Aurora, Austin, Bab, Baldwin, Barbara, Bart, Bartholomew, Basil, Beatrice, Beatrix, Beck, Becky, Bel, Bella, Ben, Benedict, Benjamin, Benny, Bernard, Bert, Bertie, Bertram, Bess, Bessie, Bessy, Betsey, Betsy, Betty, Biddy, Bill, Billy, Blanch, Bod, Bobbie, Bobby, Brian, Bridget, Candida, Carol, Caroline, Carrie, Caspar, Catherine, Cecil, Cecilia, Cecily, Charles, Charley, Charlie, Charlotte, Chris, Christian, Christiana, Christie, Christina, Christine, Christopher, Christy, Clara, Clare, Clarence, Claud, Claudius, Clem, Clement, Clementina, Clementine, Clifford, Clotilda, Colette, Connie, Connor, Constance, Cora, Cordelia, Cornelia, Cornelius, Cyril, Cyrus, Dan, Daniel, Dannie, Dave, David, Davy, Deborah, Denis, Dennis, Desmond, Diana, Dick, Dickie, Dickon, Dicky, Dinah, Dob, Dobbin, Doll, Dolly, Dolores, Donald, Dora, Dorian, Doris, Dorothy, Douglas, Eddie, Eddy, Edgar, Edith, Edmund, Edna, Edward, Edwin, Eleanor, Elijah, Elinor, Elisabeth, Ella, Ellen, Elliot, Elmer, Elsie, Elvira, Emery, Emilia, Emily, Emm, Emma, Emmanuel, Emmie, Emory, Enoch, Erasmus, Ernest, Ernie, Essie, Esther, Ethel, Etta, Eugene, Eustace, Eva, Eve, Evelina, Eveline, Evelyn, Fanny, Felicia, Felice, Felix, Ferdinand, Fidelia, Flo, Flora, Florence, Flossie, Floy, Frances, Francis, Frank, Fred, Freddie, Freddy, Frederic, Frederik, Freda, Frida, Gabriel, Geffrey, Geoffrey, George, Gerald, Gertie, Gertrude, Gideon, Gil, Gilbert, Gladys, Gloria, Godfrey, Godwin, Gordon, Grace, Graham, Gregory, Greta, Griffith, Guy, Gwendolen, Gwendoline, Gwendolyn, Hadrian, Hal, Hannah, Harold, Harriet, Harriot, Harry, Hatty, Helen, Helena, Henrietta, Henry, Herbert, Hermann, Herman, Hester, Hetty, Hilary, Hilda, Hope, Horace, Horatio, Howard, Hubert, Hugh, Hugo, Humphrey, Humphry, Ida, Ike, Ira, Irene, Isaac, Isabel, Isabella, Isaiah, Isidore, Isolde, Isold, Israel, Jack, Jacob, Jake, James, Jane, Janet, Jasper, Jean, Jeff, Jeffrey, Jem, Jemima, Jen, Jennie, Jennifer, Jenny, Jeremiah, Jerome, Jerry, Jess, Jessica, Jessie, Jessy, Jim, Jimmy, Joachim, Joan, Joanna, Job, Jock, Joe, Joey, John, Johnny, Jonathan, Joseph, Josephine, Joshua, Joy, Joyce, Jozy, Judith, Judy, Julia, Julian, Juliana, Juliet, Julius, Kate, Katharine, Kathleen, Katie, Katrine, Keith, Kenneth, Kit, Kitty, Lambert, Laura, Laurence, Lauretta, Lawrence, Lazarus, Leila, Leo, Leonard, Leonora, Leopold, Lesley, Leslie, Lew, Lewie, Lewis, Lillian, Lily, Linda, Lionel, Liz, Liza, Lizzie, Louie, Louis, Louisa, Louise, Lucas, Lucy, Luke, Mabel, Madeleine, Madge , Mag, Maggie, Magnus, Malcolm, Mamie, Marcus, Margaret, Margery, Margie, Maria, Marian, Marianne, Marina, Marion, Marjory, Mark, Martha, Martin, Mary, Mat, Matilda, Mathilda, Matthew, Matthias, Matty, Maud, Maude, Maurice, Max, Maximilian, May, Meg, Meggy, Mercy, Meredith, Michael, Micky, Mike, Mildred, Millie, Mima, Minna, Minnie, Mirabel, Miranda, Miriam, Moll, Molly, Monica, Montague, Montagu, Monty, Morgan, Morris, Mortimer, Moses, Muriel, Nance, Nancy, Nannie, Nanny, Nat, Natalia, Natalie, Nathan, Nathaniel, Ned, Neddie, Neddy, Nell, Nellie, Nelly, Net, Nettie, Netty, Neville, Nicholas, Nik, Nikola, Nina, Ninette, Ninon, Noah, Noel, Noll, Nolly, Nora, Norman, Odette, Olive, Oliver, Olivia, Ophelia, Oscar, Osmond, Osmund, Oswald, Ottilia, Owen, Paddy, Pat, Patricia, Patrick, Patty, Paul, Paula, Paulina, Pauline, Peg, Peggy, Pen, Penelope, Penny, Persy, Pete, Peter, Phil, Philip, Pip, Pius, Pol, Polly, Portia, Rachel, Ralph, Ranald, Randolph, Raphael, Rasmus, Ray, Raymond, Rebecca, Reg, Reggie, Reginald, Reynold, Richard, Rita, Rob, Robbie, Robert, Robin, Roddy, Roderick, Rodney, Roger, Roland, Rolf, Romeo, Ronald, Rosa, Rosabel, Rosabella, Rosalia, Rosalie, Rosalind, Rosaline, Rosamond, Rosamund, Rose, Rosemary, Rowland, Roy, Rudolf, Rudolph, Rupert, Ruth, Sadie, Sal, Sally, Salome, Sam, Sammy, Sampson, Samson, Samuel, Sanders, Sandy, Sarah, Sara, Saul, Sebastian, Septimus, Sibil, Sibyl, Sibylla, Sidney, Siegfried, Silas, Silvester, Silvia, Sim, Simeon, Simmy, Simon, Sol, Solly, Solomon, Sophia, Sophie, Sophy, Stanislas, Stanislaus, Stanley, Stella, Stephana, Stephanie, Stephen, Steve, Sue, Susan, Susanna, Susannah, Susie, Susy, Sylvester, Sylvia, Ted, Teddy, Terry, Tessa, Theobald, Theodora, Theodore, Theresa, Teresa, Thomas, Tib, Tibbie, Tilda, Tilly, Tim, Timothy, Tina, Tobias, Toby, Tom, Tommy, Tony, Tristan, Trudy, Tybalt, Valentine, Veronica, Victor, Victoria, Vincent, Viola, Violet, Virginia, Vivian, Vivien, Wallace, Walt, Walter, Wat, Watty, Wilfred, Wilfrid, Will, William, Willy, Win, Winifred, Winnie

Sender surnames:

Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore, Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia, Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, Young, Hernandez, King, Wright, Lopez, Hill, Scott, Green, Adams, Baker, Gonzalez, Nelson, Carter, Mitchell, Perez, Roberts, Turner, Phillips, Campbell, Parker, Evans, Edwards, Collins, Stewart, Sanchez, Morris, Rogers, Reed, Cook, Morgan, Bell, Murphy, Bailey, Rivera, Cooper, Richardson, Cox, Howard, Ward, Torres, Peterson, Gray, Ramirez, James, Watson, Brooks, Kelly, Sanders, Price, Bennett, Wood, Barnes, Ross, Henderson, Coleman, Jenkins, Perry, Powell, Long, Patterson, Hughes, Flores, Washington, Butler, Simmons, Foster, Gonzales, Bryant, Alexander, Russell, Griffin, Diaz, Hayes, Myers, Ford, Hamilton, Graham, Sullivan, Wallace, Woods, Cole, West, Jordan, Owens, Reynolds, Fisher, Ellis, Harrison, Gibson, Mcdonald, Cruz, Marshall, Ortiz, Gomez, Murray, Freeman, Wells, Webb, Simpson, Stevens, Tucker, Porter, Hunter, Hicks, Crawford, Henry, Boyd, Mason, Morales, Kennedy, Warren, Dixon, Ramos, Reyes, Burns, Gordon, Shaw, Holmes, Rice, Robertson, Hunt, Black, Daniels, Palmer, Mills, Nichols, Grant, Knight, Ferguson, Rose, Stone, Hawkins, Dunn, Perkins, Hudson, Spencer, Gardner, Stephens, Payne, Pierce, Berry, Matthews, Arnold, Wagner, Willis, Ray, Watkins, Olson, Carroll, Duncan, Snyder, Hart, Cunningham, Bradley, Lane, Andrews, Ruiz, Harper, Fox, Riley, Armstrong, Carpenter, Weaver, Greene, Lawrence, Elliott, Chavez, Sims, Austin, Peters, Kelley, Franklin, Lawson, Fields, Gutierrez, Ryan, Schmidt, Carr, Vasquez, Castillo, Wheeler, Chapman, Oliver, Montgomery, Richards, Williamson, Johnston, Banks, Meyer, Bishop, Mccoy, Howell, Alvarez, Morrison, Hansen, Fernandez, Garza, Harvey, Little, Burton, Stanley, Nguyen, George, Jacobs, Reid, Kim, Fuller, Lynch, Dean, Gilbert, Garrett, Romero, Welch, Larson, Frazier, Burke, Hanson, Day, Mendoza, Moreno, Bowman, Medina, Fowler, Brewer, Hoffman, Carlson, Silva, Pearson, Holland, Douglas, Fleming, Jensen, Vargas, Byrd, Davidson, Hopkins, May, Terry, Herrera, Wade, Soto, Walters, Curtis, Neal, Caldwell, Lowe, Jennings, Barnett, Graves, Jimenez, Horton, Shelton, Barrett, Obrien, Castro, Sutton, Gregory, Mckinney, Lucas, Miles, Craig, Rodriquez, Chambers, Holt, Lambert, Fletcher, Watts, Bates, Hale, Rhodes, Pena, Beck, Newman, Haynes, Mcdaniel, Mendez, Bush, Vaughn, Parks, Dawson, Santiago, Norris, Hardy, Love, Steele, Curry, Powers, Schultz, Barker, Guzman, Page, Munoz, Ball, Keller, Chandler, Weber, Leonard, Walsh, Lyons, Ramsey, Wolfe, Schneider, Mullins, Benson, Sharp, Bowen, Daniel, Barber, Cummings, Hines, Baldwin, Griffith, Valdez, Hubbard, Salazar, Reeves, Warner, Stevenson, Burgess, Santos, Tate, Cross, Garner, Mann, Mack, Moss, Thornton, Dennis, Mcgee, Farmer, Delgado, Aguilar, Vega, Glover, Manning, Cohen, Harmon, Rodgers, Robbins, Newton, Todd, Blair, Higgins, Ingram, Reese, Cannon, Strickland, Townsend, Potter, Goodwin, Walton, Rowe, Hampton, Ortega, Patton, Swanson, Joseph, Francis, Goodman, Maldonado, Yates, Becker, Erickson, Hodges, Rios, Conner, Adkins, Webster, Norman, Malone, Hammond, Flowers, Cobb, Moody, Quinn, Blake, Maxwell, Pope, Floyd, Osborne, Paul, Mccarthy, Guerrero, Lindsey, Estrada, Sandoval, Gibbs, Tyler, Gross, Fitzgerald, Stokes, Doyle, Sherman, Saunders, Wise, Colon, Gill, Alvarado, Greer, Padilla, Simon, Waters, Nunez, Ballard, Schwartz, Mcbride, Houston, Christensen, Klein, Pratt, Briggs, Parsons, Mclaughlin, Zimmerman, French, Buchanan, Moran, Copeland, Roy, Pittman, Brady, Mccormick, Holloway, Brock, Poole, Frank, Logan, Owen, Bass, Marsh, Drake, Wong, Jefferson, Park, Morton, Abbott, Sparks, Patrick, Norton, Huff, Clayton, Massey, Lloyd, Figueroa, Carson, Bowers, Roberson, Barton, Tran, Lamb, Harrington, Casey, Boone, Cortez, Clarke, Mathis, Singleton, Wilkins, Cain, Bryan, Underwood, Hogan, Mckenzie, Collier, Luna, Phelps, Mcguire, Allison, Bridges, Wilkerson, Nash, Summers, Atkins, Wilcox, Pitts, Conley, Marquez, Burnett, Richard, Cochran, Chase, Davenport, Hood, Gates, Clay, Ayala, Sawyer, Roman, Vazquez, Dickerson, Hodge, Acosta, Flynn, Espinoza, Nicholson, Monroe, Wolf, Morrow, Kirk, Randall, Anthony, Whitaker, Oconnor, Skinner, Ware, Molina, Kirby, Huffman, Bradford, Charles, Gilmore, Dominguez, Oneal, Bruce, Lang, Combs, Kramer, Heath, Hancock, Gallagher, Gaines, Shaffer, Short, Wiggins, Mathews, Mcclain, Fischer, Wall, Small, Melton, Hensley, Bond, Dyer, Cameron, Grimes, Contreras, Christian, Wyatt, Baxter, Snow, Mosley, Shepherd, Larsen, Hoover, Beasley, Glenn, Petersen, Whitehead, Meyers, Keith, Garrison, Vincent, Shields, Horn, Savage, Olsen, Schroeder, Hartman, Woodard, Mueller, Kemp, Deleon, Booth, Patel, Calhoun, Wiley, Eaton, Cline, Navarro, Harrell, Lester, Humphrey, Parrish, Duran, Hutchinson, Hess, Dorsey, Bullock, Robles, Beard, Dalton, Avila, Vance, Rich, Blackwell, York, Johns, Blankenship, Trevino, Salinas, Campos, Pruitt, Moses, Callahan, Golden, Montoya, Hardin, Guerra, Mcdowell, Carey, Stafford, Gallegos, Henson, Wilkinson, Booker, Merritt, Miranda, Atkinson, Orr, Decker, Hobbs, Preston, Tanner, Knox, Pacheco, Stephenson, Glass, Rojas, Serrano, Marks, Hickman, English, Sweeney, Strong, Prince, Mcclure, Conway, Walter, Roth, Maynard, Farrell, Lowery, Hurst, Nixon, Weiss, Trujillo, Ellison, Sloan, Juarez, Winters, Mclean, Randolph, Leon, Boyer, Villarreal, Mccall, Gentry, Carrillo, Kent, Ayers, Lara, Shannon, Sexton, Pace, Hull, Leblanc, Browning, Velasquez, Leach, Chang, House, Sellers, Herring, Noble, Foley, Bartlett, Mercado, Landry, Durham, Walls, Barr, Mckee, Bauer, Rivers, Everett, Bradshaw, Pugh, Velez, Rush, Estes, Dodson, Morse, Sheppard, Weeks, Camacho, Bean, Barron, Livingston, Middleton, Spears, Branch, Blevins, Chen, Kerr, Mcconnell, Hatfield, Harding, Ashley, Solis, Herman, Frost, Giles, Blackburn, William, Pennington, Woodward, Finley, Mcintosh, Koch, Best, Solomon, Mccullough, Dudley, Nolan, Blanchard, Rivas, Brennan, Mejia, Kane, Benton, Joyce, Buckley, Haley, Valentine, Maddox, Russo, Mcknight, Buck, Moon, Mcmillan, Crosby, Berg, Dotson, Mays, Roach, Church, Chan, Richmond, Meadows, Faulkner, Oneill, Knapp, Kline, Barry, Ochoa, Jacobson, Gay, Avery, Hendricks, Horne, Shepard, Hebert, Cherry, Cardenas, Mcintyre, Whitney, Waller, Holman, Donaldson, Cantu, Terrell, Morin, Gillespie, Fuentes, Tillman, Sanford, Bentley, Peck, Key, Salas, Rollins, Gamble, Dickson, Battle, Santana, Cabrera, Cervantes, Howe, Hinton, Hurley, Spence, Zamora, Yang, Mcneil, Suarez, Case, Petty, Gould, Mcfarland, Sampson, Carver, Bray, Rosario, Macdonald, Stout, Hester, Melendez, Dillon, Farley, Hopper, Galloway, Potts, Bernard, Joyner, Stein, Aguirre, Osborn, Mercer, Bender, Franco, Rowland, Sykes, Benjamin, Travis, Pickett, Crane, Sears, Mayo, Dunlap, Hayden, Wilder, Mckay, Coffey, Mccarty, Ewing, Cooley, Vaughan, Bonner, Cotton, Holder, Stark, Ferrell, Cantrell, Fulton, Lynn, Lott, Calderon, Rosa, Pollard, Hooper, Burch, Mullen, Fry, Riddle, Levy, David, Duke, Odonnell, Guy, Michael, Britt, Frederick, Daugherty, Berger, Dillard, Alston, Jarvis, Frye, Riggs, Chaney, Odom, Duffy, Fitzpatrick, Valenzuela, Merrill, Mayer, Alford, Mcpherson, Acevedo, Donovan, Barrera, Albert, Cote, Reilly, Compton, Raymond, Mooney, Mcgowan, Craft, Cleveland, Clemons, Wynn, Nielsen, Baird, Stanton, Snider, Rosales, Bright, Witt, Stuart, Hays, Holden, Rutledge, Kinney, Clements, Castaneda, Slater, Hahn, Emerson, Conrad, Burks, Delaney, Pate, Lancaster, Sweet, Justice, Tyson, Sharpe, Whitfield, Talley, Macias, Irwin, Burris, Ratliff, Mccray, Madden, Kaufman, Beach, Goff, Cash, Bolton, Mcfadden, Levine, Good, Byers, Kirkland, Kidd, Workman, Carney, Dale, Mcleod, Holcomb, England, Finch, Head, Burt, Hendrix, Sosa, Haney, Franks, Sargent, Nieves, Downs, Rasmussen, Bird, Hewitt, Lindsay, Foreman, Valencia, Oneil, Delacruz, Vinson, Dejesus, Hyde, Forbes, Gilliam, Guthrie, Wooten, Huber, Barlow, Boyle, Mcmahon, Buckner, Rocha, Puckett, Langley, Knowles, Cooke, Velazquez, Whitley, Noel, Vang, Shea, Rouse, Hartley, Mayfield, Elder, Rankin, Hanna, Cowan, Lucero, Arroyo, Slaughter, Haas, Oconnell, Minor, Kendrick, Shirley, Kendall, Boucher, Archer, Boggs, Odell, Dougherty, Andersen, Newell, Crowe, Wang, Friedman, Bland, Swain, Holley, Felix, Pearce, Childs, Yarbrough, Galvan, Proctor, Meeks, Lozano, Mora, Rangel, Bacon, Villanueva, Schaefer, Rosado, Helms, Boyce, Goss, Stinson, Smart, Lake, Ibarra, Hutchins, Covington, Reyna, Gregg, Werner, Crowley, Hatcher, Mackey, Bunch, Womack, Polk, Jamison, Dodd, Childress, Childers, Camp, Villa, Dye, Springer, Mahoney, Dailey, Belcher, Lockhart, Griggs, Costa, Connor, Brandt, Winter, Walden, Moser, Tracy, Tatum, Mccann, Akers, Lutz, Pryor, Law, Orozco, Mcallister, Lugo, Davies, Shoemaker, Madison, Rutherford, Newsome, Magee, Chamberlain, Blanton, Simms, Godfrey, Flanagan, Crum, Cordova, Escobar, Downing, Sinclair, Donahue, Krueger, Mcginnis, Gore, Farris, Webber, Corbett, Andrade, Starr, Lyon, Yoder, Hastings, Mcgrath, Spivey, Krause, Harden, Crabtree, Kirkpatrick, Hollis, Brandon, Arrington, Ervin, Clifton, Ritter, Mcghee, Bolden, Maloney, Gagnon, Dunbar, Ponce, Pike, Mayes, Heard, Beatty, Mobley, Kimball, Butts, Montes, Herbert, Grady, Eldridge, Braun, Hamm, Gibbons, Seymour, Moyer, Manley, Herron, Plummer, Elmore, Cramer, Gary, Rucker, Hilton, Blue, Pierson, Fontenot, Field, Rubio, Grace, Goldstein, Elkins, Wills, Novak, John, Hickey, Worley, Gorman, Katz, Dickinson, Broussard, Fritz, Woodruff, Crow, Christopher, Britton, Forrest, Nance, Lehman, Bingham, Zuniga, Whaley, Shafer, Coffman, Steward, Delarosa, Nix, Neely, Numbers, Mata, Manuel, Davila, Mccabe, Kessler, Emery, Bowling, Hinkle, Welsh, Pagan, Goldberg, Goins, Crouch, Cuevas, Quinones, Mcdermott, Hendrickson, Samuels, Denton, Bergeron, Lam, Ivey, Locke, Haines, Thurman, Snell, Hoskins, Byrne, Milton, Winston, Arthur, Arias, Stanford, Roe, Corbin, Beltran, Chappell, Hurt, Downey, Dooley, Tuttle, Couch, Payton, Mcelroy, Crockett, Groves, Clement, Leslie, Cartwright, Dickey, Mcgill, Dubois, Muniz, Erwin, Self, Tolbert, Dempsey, Cisneros, Sewell, Latham, Garland, Vigil, Tapia, Sterling, Rainey, Norwood, Lacy, Stroud, Meade, Amos, Tipton, Lord, Kuhn, Hilliard, Bonilla, Teague, Courtney, Gunn, Greenwood, Correa, Reece, Weston, Poe, Trent, Pineda, Phipps, Frey, Kaiser, Ames, Paige, Gunter, Schmitt, Milligan, Espinosa, Carlton, Bowden, Vickers, Lowry, Pritchard, Costello

Sender emails names:

2821321211, 3dbeckypascal, 3dbelvyra, 3dbesperat, 687892066, 688609982, 688822086, 734838907, 734849353, 734899629, 734904846, 734924950, 734987110, 735040266, 735073874, 735076699, 735109047, 735116627, aausland, aavant, abuse, admin, afulghum, ajackson, ajacobs, alexdim, alfonso.masana, alt, amr_mail, andreys, arnie, asmith, babineau, badea633, bcombs, bdorio, ben, bereketboss, bhollern, bill.pyle, bingo, blizzard, blj, bljl, bo.xu, bob.cowles, bobnsteph2002, bobnsue, boxsters, butlerje76, cbeard, cburns, cffmb, cffresh, cheffyvee, eAgC, chefholland2000, chrisbolling2, chrisbond, dN1C, cindy, cindybob, clement, coenieza, copeland, copy, craigcornelius, daarthur, daassist, daniels.ochieng, danielsnjl, davebelize, davison, devil_chua, dhill, djpack, djpappas, doorboss, dturman, dyim, ekanto, erik, erik.toernqvist, erik.ullman, evgen, fanli, ffletcher, flynhiva, flynn2525, fran, fran.morrow, fun, fushenyu, genemau, ghost, gregory, gregory.larsen, gregory_leonard, gregoryl, ham1mer, ham39980, henning, hitman, hitmandrock, hugo.callens, hugocasta, indima, indio, indiog, info, inge.bergvall, insomnia, itv, ivan69, j.beder, jaimeh, jaimeh_1, jbedell, jdesroche, jeng_daniel, jiayongl, jim_brows, jimbruce, johan, johan.segolsson, johan_segergren, johnston, jokre1, jscha, aiKC, jyhbc, jyhhann, jyhwu, karen.loalbo, karl.vang, karlvail, kchau, kennth.ross, kenny10, kjheon, kjhinson, kjia_min999, knwen, kreinert3, lararj, len.krukowski, len_krukowski, liangbingmeiluo, liangbo_daqing, lisa.morgan, lpaterson, lpatterson, lpatton, m.socrates, mabat-pi, mail, major, mary, mary_addor, matrosov, maureenr52, mbyrne, mef, mefuho, mfischer, mfischette, michaels, mikeli, mlmurga, monaya, mpope, nancym, nhl, nhlxkis, nick, nlrz, novak, office, olis, omarsns, on.coltd, paralyn, paulg,, peter.huet, peter.huetter, peterk, peterkenyon, popcornjim, postmaster, povilasj, protain, radka.krkoskova, raul.m.rebelo, rdb, rdbeers, reman, ricky.dover, rickyd, rickydbcat, rlbrooks, robertsh, rogerssteve, rolf, roselyn494, rothwiler, rsvp, rxh6, ryancho0, s.pryor, s.vrabac, sales, salesny, sannyposh, sano, sano_aku, sano_kazuya, sanobrjb, sanoli2, sanoman, sdb, sdbdek, sergey, sgold, shafia, shafie, shimoneli, simler, skepplanda.btk, smith98123q, smithj, sono1pera, sonoda, ssoja, stanislav.antic, steve, stroud, superslog, ta7mlms, takahashi.yuh, takahata, takahide, takahiro_hiroi, teri_kirkland,, theonedjmantis, tim, tlameta_sione, tmalburg, tmaley, tmalfred, travasik, tsiler, vag_serv, vespasianius, vivian, waddah, waddell, waddellbianca, webmaster,, whualei, whuang, wlq304, wspieth, wv_office, wvlfy, yourname, yuanweiw, yuill9

Referrers:,,,,,,,,,,,, m7oC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, e5ZC,,,,,,,,,,,,,,,,,,,, u%EoC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

We found the email addresses used to send spam:

(12 emails)
(21 emails)
(974 emails)

Also it harvests files from a user computer but excludes the following types:

avi mov wmv mp3 wave wav wma ogg vob png jpg jpeg gif bmp exe dll ocx class msi zip 7z rar jar gz hxw hxh hxn hxd

The email subjects are typical for spam and advertise mostly job opportunities, drugs forums and Viagra pills:

Find the job that's right for you.
Job NEW!
Vacancy NEW!
Offer NEW!
Job Offer
Job Offer NEW!
Job Vacancy
Part-time Work
Part-time Job
Vacancies NEW!
Job Position
Open Vacancies
New Job
New Work
New Vacancy
New Offer
New Job Offer
New Job Vacancy
Salary 2600 EUR
Job! Part-time! Stable Salary!
Work! Part-time! Salary!
Work In The Company
Work In The Company NEW!
Work In The Marketing Company
Vacancy! Part-Time!
Job Vacancy NEW!
Part-time Work NEW!
Employment opportunity.
Build a Better Career.
Find your calling.
Launch your career.
Looking for jobs?
Great career opportunities.
Find your dream job!
Conteste a la nueva proposicion de trabajo en el departamento de Finanzas para
Respuesta a una nueva invitacion de trabajo en el departamento de Finanzas para
Respuesta a una nueva incitacion de trabajo en Atencion al cliente
La respuesta a un trabajo solicitado para
Wir suchen Mitarbeiter in Deutschland.Stelle Manager fur den Vertrieb von Waren.
Stellenangebot Manager in Deutschland.

Legal drugs shops
Legal drugs forum
Powders, pills, smoking blends
Synthetic drugs forum
Pure DMAA Powder forum
Forum about Blast Off Natural Party Powder
Forum about JWH, Naphyrone, 5-IAI and more
Forum about Powders, pills, smoking blends
Blast Off Natural Party Powder forum
JWH, Naphyrone, 5-IAI and more forum

The only method to energize your love life
Time for great nights with your female partner
Very good method to regain your intimate life
Outstanding solution for your intimate life
It helps to forget about male problems
Do you wish to surprise your woman tonight?
The only method to energize your loving life
Keep your lover entertained every night
The only technique to unleash your love life
You'll be good in bed
The truth about potence
Do you desire to become huge for women?
Do you wish to please your lady tonight?
Do you wish to surprise your gf tonight?
Be yourself, act brilliant in bed
She will be impressed by your strength
Do you want to see her happy this night?
Do you wish to gratify your babe this night?
Do you wish to satisfy your wife at night?
The only method to enhance your intimate life
You'll be the girl's idol
Feel the joy of ultimate life
Ancient secret of nonstop nights of pleasure
Kindle your impulse to the limit
Herbal Highs forum
She will stay amazed by your potency
Do you wish to surprise your gf tonight?

To avoid being banned, the backdoor specifies different User Agents in the http requests:

Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv: Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv: Gecko/20080623 Firefox/
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv: Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv: Gecko/20060909 Firefox/
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv: Gecko/20060111 Firefox/
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
Microsoft Internet Explorer/1.0 (Windows 95)

Nonetheless, when connecting to public smtp servers we discovered it has been blocked.

Part 4. Password Stealer

As mentioned earlier, the malware searches FTP, SFTP, WebDAV installed clients for confidential information. In the latest version we see new target applications: Windows Commander, Bitcoin wallet and WinSCP 2:

32bit FTP
BulletProof FTP Client 2009
BulletProof FTP Client 2010
CuteFTP Pro
CuteFTP Lite
CuteFTP 6 Home
CuteFTP 6 Professional
CuteFTP 7 Home
CuteFTP 7 Professional
CuteFTP 8 Home
CuteFTP 8 Professional
Directory Opus
FAR Manager FTP
FlashFXP 3
FlashFXP 4
Frigate3 FTP
pFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander
FTP Explorer
Total Commander FTP
SoftX FTP Client
Windows Commander
WinSCP 2

Using the “winpcap” network sniffing module, the backdoor search usernames and passwords in traffic directed to destination ports 21, 110 and 25:

( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25)

The same strings are used to extract data in the new version:

USER PASS PUT ONNECT Authorization Basic AUTH PLAIN ftp http smtp pop3 pop3 smtp @

The backdoor optionally may start a Proxy-Server on an infected computer to reinforce a zombie army of Kelihos.


• The new versions of Kelihos have been appearing until now with enhanced backdoor functionality despite attempts to shutdown it by Microsoft and Kaspersky Lab.
• Kelihos P2P architecture and fast-flux domains make the botnet almost invulnerable to the counteracting measures undertaken by the security industry.
• The peers can play different roles in the botnet, such as: spam-bot, fast-flux proxy-bot, C&C proxy-bot.
• The majority of bots are located in Ukraine while at the same time all domains have been registered with the help of the Russian registrar.
• Advanced protection mechanism of backdoor’s data complicates the analysis of its functionality and communication protocol.
• Newly created backdoor samples have a low detection rate by the majority of AV scanners due to the compression and encrypting techniques being applied.