Kelihos Botnet Gains Strength Again

by alexander.adamov on February 28th, 2013 in Malware Descriptions, Security Alert.

Part 1. Kelihos Loader

Part 2. Kelihos Backdoor

Part 3. Spam-Bot

Part 4. Password Stealer

Conclusions

We recently discovered high Kelihos botnet activity despite Microsoft's and Kaspersky's announcing its shutdown in September 2011 and March 2012.

A detailed description of a previous version of the backdoor can be found in Lavasoft's Malware Encyclopedia.

In this publication we would like to update this information and provide more details about the network activity and infection process of the latest versions of Kelihos.

Part 1. Kelihos Loader

Kelihos consists of two parts; a loader and a backdoor. The loader downloads a backdoor file onto the compromised system. It has quite simple implementation and is detected by many antiviruses (MD5: 42032e91596b619d5683e39afc7a4c2a):

The binary is packed with the Mystic Compressor in an effort to avoid detection.

The downloading function can be easily found in the code:

The loader uses a 10 minute timeout between downloads if the first attempt fails.

The main purpose of this process is to download and execute the backdoor on the victim’s computer:

That URL is constructed with a randomly named domain and file name chosen from the set specified below.

http://{random a-z characters}.ru/{ keybex3, rasta01, newbos2, angrim2, calc, moon002, nothing, instcod, firsale}.exe

Recently registered Kelihos domains that were active in Jan-Feb 2013:

hxxp://rehvuwib.ru/
hxxp://irtoexki.ru/
hxxp://ihdidcyd.ru/
hxxp://fidqyzar.ru/
hxxp://citpoloj.ru/
hxxp://ucxegxox.ru/
hxxp://nowqubxi.ru/
hxxp://kugfulyw.ru/
hxxp://axcakqif.ru/
hxxp://citpoloj.ru/
hxxp://citpoloj.ru/
hxxp://ryqpynar.ru/
hxxp://gybebeho.ru/
hxxp://aqqajofi.ru/
hxxp://amxylkap.ru/
hxxp://todqenym.ru/
hxxp://girwysca.ru/
hxxp://sedfibyr.ru/
hxxp://tijenric.ru/
hxxp://ojvectyk.ru/
hxxp://solhusny.ru/
hxxp://ifkyxdys.ru/
hxxp://ifkyxdys.ru/
hxxp://ybavwego.ru/
hxxp://ifkyxdys.ru/
hxxp://qagqowpi.ru/
hxxp://linyaqor.ru/
hxxp://picjuvoh.ru/
hxxp://incumzyr.ru/
hxxp://exciifun.ru/
hxxp://gamkuvev.ru/
hxxp://ohvelzym.ru/
hxxp://ummujcil.ru/
hxxp://gamkuvev.ru/
hxxp://rinerdaz.ru/
hxxp://ewobmoyw.ru/
hxxp://atkoskih.ru/
hxxp://wowrizep.ru/
hxxp://dyrzaqfu.ru/
hxxp://tyxtuwaq.ru/
hxxp://zehyqjol.ru/
hxxp://cesivpil.ru/
hxxp://ojvectyk.ru/
hxxp://gehxehib.ru/
hxxp://muxythij.ru/

All domains have pretty similar registration information: “REGGI-REG-RIPN” with a lifetime of one year. This registrar featured in our recent article Detecting Malicious URLs - Part 3. Suspicious Registrars

Fast-flux domains are still used by the botnet. To prevent DNS record caching, the TTL value is set to zero. That means on every request a DNS server replies with a new IP address obtained from a dynamic pool of Kelihos proxy-bots.

We counted 6244 Kelihos proxy-bots in 82 countries in the fast-flux network during several days.

Part 2. Kelihos Backdoor

The code of the backdoor (MD5: 64dd5503fc9cd455f1c8a544d0bc9015) is encrypted

and obfuscated making it hard for AV scanners to analyze and detect .

For example, the names of API calls and DLL modules are encrypted and distributed in memory. They are reconstructed on-the-fly in the stack when loading.

To call internal functions a special address table is used.
Upon execution, the backdoor sets its attributes to hidden, read-only, system and archive.

The file contains the following WinPcap modules in its body to help track network activity: npf.sys, winpcap.dll, packet.dll.

While running, the backdoor process creates threads and sends UDP and TCP requests to port 80 of peer computers within the botnet.

The encrypted traffic between bots:

The initial list of IPs is encrypted in the binary. At the time of writing, we found 225 live peers among 500 stored in the backdoor’s body which can operate as C&C proxy.

190.44.192.223 62.84.252.23 77.121.124.178 37.204.138.145 176.8.225.81 192.162.78.37 182.234.140.72 217.16.138.88 188.72.213.114 37.25.35.75 46.118.140.17 31.170.145.243 77.122.233.147 93.77.29.32 77.122.23.209 78.158.31.39 46.47.84.24 178.137.33.241 46.118.69.54 81.198.204.124 159.224.9.71 77.121.61.168 93.79.238.30 94.153.28.7 91.204.204.103 109.87.9.137 176.8.180.238 78.83.221.213 37.229.122.157 109.185.90.79 109.200.239.101 109.86.177.245 46.185.14.217 46.211.215.196 77.122.122.101 109.122.89.239 193.110.78.26 119.149.94.46 46.173.105.102 109.251.56.204 37.143.215.82 90.155.226.150 77.121.214.121 93.79.31.190 216.255.1.72 86.38.110.137 188.230.113.152 176.8.137.91 5.153.188.174 78.159.62.141 194.27.111.48 91.203.246.95 77.123.79.11 89.67.151.214 188.129.221.145 176.73.103.133 66.215.182.9 5.79.252.96 200.150.166.84 46.211.223.169 88.132.176.245 176.8.197.205 159.224.5.60 176.8.110.157 184.91.172.224 62.84.59.83 194.27.58.37 158.58.238.131 178.150.203.249 78.159.35.44 2.132.47.207 177.44.114.73 91.145.186.3 82.228.241.65 80.245.90.176 176.98.31.44 213.5.195.154 5.2.42.185 193.93.160.182 173.23.19.85 188.254.205.83 82.131.44.22 81.198.140.56 84.40.107.178 188.254.129.9 77.122.25.133 5.105.117.126 109.87.252.10 176.36.26.66 77.71.19.137 130.204.71.219 77.37.177.23 87.252.234.123 46.237.65.35 81.163.114.225 93.177.139.14 77.121.181.29 178.210.222.88 46.118.55.145 188.129.193.73 37.46.238.147 94.240.234.204 71.205.177.244 81.22.139.90 77.123.42.134 178.37.167.188 77.122.93.107 46.211.58.64 192.162.79.246 46.118.89.132 46.118.111.35 213.111.209.219 178.149.239.31 89.41.122.14 46.211.91.110 46.119.104.117 94.248.144.72 62.84.38.69 178.140.131.136 77.121.146.36 46.211.17.12 77.123.15.52 78.26.255.165 178.149.8.112 94.153.123.90 188.2.247.157 195.114.154.174 46.10.213.218 188.230.23.81 178.165.122.96 109.87.194.95 176.73.167.145 61.58.184.233 46.40.102.90 31.135.44.48 93.79.35.109 94.153.43.162 46.172.253.234 91.221.85.41 188.129.210.174 193.93.160.176 93.79.90.71 176.8.115.143 178.233.104.125 31.42.20.23 178.48.56.156 5.105.88.93 188.190.2.101 46.160.108.40 77.77.31.229 89.136.227.139 37.57.146.45 219.255.128.237 174.56.223.60 5.248.100.225 178.158.182.164 213.111.85.247 37.229.37.192 77.121.186.6 77.121.156.85 69.76.232.225 109.86.28.151 31.170.141.208 93.78.177.52 46.46.79.148 86.125.192.34 68.191.140.56 79.133.238.144 176.8.151.55 77.238.203.63 212.2.142.173 123.0.208.105 37.229.234.249 46.237.82.154 49.143.81.165 37.229.91.174 178.149.77.79 31.14.226.14 109.87.4.154 188.121.200.4 176.8.163.230 195.228.43.24 85.121.3.1 78.61.229.129 79.135.219.62 188.230.31.252 212.52.57.48 176.8.12.246 178.168.44.169 178.172.199.48 77.122.225.54 46.119.141.103 62.84.55.114 46.46.92.245 93.116.207.225 78.84.146.198 62.221.144.92 78.63.212.27 89.228.34.247 93.78.55.187 46.47.110.221 94.153.71.58 217.18.253.132 89.114.121.115 91.202.56.168 178.74.210.148 77.122.139.136 46.119.218.49 59.4.150.204 89.42.101.114 46.119.227.179 178.150.227.231 93.79.32.140 46.118.164.198 89.201.106.201 213.111.97.62 5.248.96.136 178.137.102.155 89.70.38.124 46.211.1.124 31.43.131.230 46.160.108.26 181.31.239.62 77.120.165.68 91.244.135.9 187.240.200.170 2.132.44.162 176.8.98.219 93.105.86.88 190.159.119.224 46.180.6.233 178.172.227.31 213.233.187.20 178.91.154.221 46.118.163.116 151.0.42.98 158.58.237.173 79.113.96.236 134.17.85.27 189.137.30.119 31.128.77.212 178.211.99.28 109.200.249.118 5.248.17.103 190.19.23.113 37.151.32.29 46.119.82.218 77.41.106.133 93.77.228.134 93.78.192.244 37.151.176.214 178.217.212.39 176.37.221.31 46.37.195.5 88.156.249.0 93.89.210.212 221.141.235.23 77.122.165.42 124.123.105.255 178.165.5.151 178.148.12.16 89.16.114.114 113.61.128.13 188.213.89.152 176.37.96.11 176.8.41.238 109.254.103.66 46.162.50.110 178.150.79.158 46.229.49.201 37.229.35.28 87.110.47.116 31.41.49.81 46.211.52.133 46.118.13.33 178.137.117.126 62.78.48.172 93.79.204.80 79.135.211.227 188.123.202.64 81.163.147.106 109.162.44.151 46.211.84.141 178.250.34.220 178.165.0.146 109.86.247.151 212.22.200.224 46.98.203.228 46.118.115.225 159.224.68.215 14.46.47.101 46.164.174.21 77.122.5.115 130.255.134.224 83.5.155.139 188.231.186.211 178.137.152.148 46.250.13.90 212.87.180.88 200.8.187.134 178.74.214.242 109.122.10.226 211.1.96.4 37.57.8.229 78.139.162.113 2.133.246.247 5.248.77.226 68.41.16.234 176.98.9.49 46.33.49.187 91.202.0.128 109.86.157.184 78.97.135.89 212.43.41.166 5.105.101.75 5.248.66.134 110.46.83.199 178.137.23.183 186.147.178.149 88.135.81.175 95.111.160.122 212.225.160.75 77.123.199.59 46.211.3.255 93.177.248.188 134.17.81.161 46.172.234.154 81.162.226.13 2.134.181.71 86.100.243.29 159.148.43.126 176.8.137.244 79.171.124.201 84.237.170.21 109.162.9.252 212.66.58.56 31.134.210.120 46.236.139.81 46.211.224.108 112.209.81.106 89.72.168.163 76.117.32.217 95.160.222.144 109.87.17.182 95.65.126.125 121.180.39.205 31.43.57.120 93.77.250.242 77.121.47.189 188.2.161.141 178.163.96.190 178.54.26.146 37.143.92.125 77.122.213.241 46.211.246.171 24.53.68.48 77.121.154.93 77.236.185.105 49.204.189.117 5.140.79.40 46.55.125.229 95.69.214.253 91.201.178.37 176.111.40.65 124.125.251.19 190.51.133.114 176.8.64.123 109.86.123.147 79.112.150.98 109.200.243.30 1.228.111.119 93.89.211.157 46.119.90.209 77.121.50.223 95.68.15.251 178.150.202.46 213.111.248.58 37.204.87.173 212.2.146.165 31.170.155.61 5.105.90.68 84.245.198.15 46.229.51.243 5.248.163.206 46.214.198.182 46.36.129.128 46.173.101.87 78.108.20.96 217.144.180.32 84.252.47.111 176.8.33.170 78.88.120.211 181.68.56.119 46.172.239.51 31.211.136.98 93.79.57.233 176.103.112.42 91.241.237.244 109.162.122.3 37.112.141.69 93.79.77.141 68.84.99.3 195.211.253.117 178.151.82.86 46.162.11.28 46.118.153.31 94.153.57.73 93.79.156.150 193.32.15.111 77.78.238.122 31.129.103.242 89.117.191.213 91.245.126.116 62.221.153.199 178.151.140.88 92.114.161.113 87.110.45.83 109.87.129.203 147.30.165.10 46.250.13.91 37.140.60.98 46.119.137.5 49.206.17.27 5.105.75.232 93.77.87.231 93.77.74.110 31.193.92.21 173.21.164.27 46.187.125.21 93.152.190.78 27.3.102.32 109.254.162.24 109.162.97.146 77.120.64.97 88.135.84.9 109.185.72.42 174.100.88.250 141.101.13.249 186.22.61.208 141.170.253.94 178.165.96.12 109.87.184.14 77.120.145.143 5.105.69.51 46.118.175.189 109.86.241.23 93.77.82.26 176.8.68.78 176.8.150.227 109.87.99.28 67.181.200.227 188.127.135.206 5.248.103.253 178.207.58.172 46.150.64.131 113.254.56.92 93.127.116.69 109.108.70.30 37.151.0.115 46.119.78.7 93.79.140.129 81.198.250.32 93.95.191.163 85.85.78.185 93.120.218.24 77.121.78.145 109.86.148.155 37.229.180.252 114.79.135.123 31.133.55.35 77.122.117.218 109.162.86.68 89.254.133.99 37.150.245.197 93.79.38.184 176.8.41.139 91.241.202.75 109.106.12.161 178.165.53.46 77.123.25.76 68.116.158.33 141.101.16.160 176.36.137.66 77.121.225.162 46.119.146.183 178.95.3.156 95.87.6.156 95.69.196.213 176.98.197.112 68.64.113.104 77.120.189.160 176.36.34.26 5.248.23.67 109.202.54.160 77.122.68.230 201.215.107.111 46.119.126.245 213.43.58.250 46.211.238.193 31.192.44.177

Once a connection has been established, the backdoor downloads instructions from C&C through one of the peer proxy-bots. It sends an HTTP GET request for one of the following html files:

http://{C&C_proxy_IP_address}/{setup, online, login, welcome, main, search, start, file, index, default, file, home, install}.html


The communication with the server is encrypted and packed with Zlib. You can find more information about the encryption technology in Kaspersky Lab’s blog.
The server’s response contains commands from C&C. However, sometimes the backdoor receives AV blocking messages like the one below received from a protected computer located in Kharkov, Ukraine:

Part 3. Spam-bot

In our case the backdoor received a command to operate as a spam-bot. The information may contain the following emails and content.
“From” field of a spam is constructed as follows:

From: {Name} {Surname} {name@domain}

where
Sender names:

Abel, Abraham, Ada, Adalbert, Adam, Adrian, Agatha, Agnes, Alan, Albert, Alec, Alexander, Alfred, Algernon, Alice, Allan, Aloys, Amabel, Ambrose, Amelia, Amy, Andrew, Andromache, Andy, Angelica, Angelina, Ann, Anna, Annabel, Annie, Anthony, Antoinette , Antony, Anthony, Arabella, Archibald, Archie, Arnold, Arthur, Aubrey, August, Augustus, Aurora, Austin, Bab, Baldwin, Barbara, Bart, Bartholomew, Basil, Beatrice, Beatrix, Beck, Becky, Bel, Bella, Ben, Benedict, Benjamin, Benny, Bernard, Bert, Bertie, Bertram, Bess, Bessie, Bessy, Betsey, Betsy, Betty, Biddy, Bill, Billy, Blanch, Bod, Bobbie, Bobby, Brian, Bridget, Candida, Carol, Caroline, Carrie, Caspar, Catherine, Cecil, Cecilia, Cecily, Charles, Charley, Charlie, Charlotte, Chris, Christian, Christiana, Christie, Christina, Christine, Christopher, Christy, Clara, Clare, Clarence, Claud, Claudius, Clem, Clement, Clementina, Clementine, Clifford, Clotilda, Colette, Connie, Connor, Constance, Cora, Cordelia, Cornelia, Cornelius, Cyril, Cyrus, Dan, Daniel, Dannie, Dave, David, Davy, Deborah, Denis, Dennis, Desmond, Diana, Dick, Dickie, Dickon, Dicky, Dinah, Dob, Dobbin, Doll, Dolly, Dolores, Donald, Dora, Dorian, Doris, Dorothy, Douglas, Eddie, Eddy, Edgar, Edith, Edmund, Edna, Edward, Edwin, Eleanor, Elijah, Elinor, Elisabeth, Ella, Ellen, Elliot, Elmer, Elsie, Elvira, Emery, Emilia, Emily, Emm, Emma, Emmanuel, Emmie, Emory, Enoch, Erasmus, Ernest, Ernie, Essie, Esther, Ethel, Etta, Eugene, Eustace, Eva, Eve, Evelina, Eveline, Evelyn, Fanny, Felicia, Felice, Felix, Ferdinand, Fidelia, Flo, Flora, Florence, Flossie, Floy, Frances, Francis, Frank, Fred, Freddie, Freddy, Frederic, Frederik, Freda, Frida, Gabriel, Geffrey, Geoffrey, George, Gerald, Gertie, Gertrude, Gideon, Gil, Gilbert, Gladys, Gloria, Godfrey, Godwin, Gordon, Grace, Graham, Gregory, Greta, Griffith, Guy, Gwendolen, Gwendoline, Gwendolyn, Hadrian, Hal, Hannah, Harold, Harriet, Harriot, Harry, Hatty, Helen, Helena, Henrietta, Henry, Herbert, Hermann, Herman, Hester, Hetty, Hilary, Hilda, Hope, Horace, Horatio, Howard, Hubert, Hugh, Hugo, Humphrey, Humphry, Ida, Ike, Ira, Irene, Isaac, Isabel, Isabella, Isaiah, Isidore, Isolde, Isold, Israel, Jack, Jacob, Jake, James, Jane, Janet, Jasper, Jean, Jeff, Jeffrey, Jem, Jemima, Jen, Jennie, Jennifer, Jenny, Jeremiah, Jerome, Jerry, Jess, Jessica, Jessie, Jessy, Jim, Jimmy, Joachim, Joan, Joanna, Job, Jock, Joe, Joey, John, Johnny, Jonathan, Joseph, Josephine, Joshua, Joy, Joyce, Jozy, Judith, Judy, Julia, Julian, Juliana, Juliet, Julius, Kate, Katharine, Kathleen, Katie, Katrine, Keith, Kenneth, Kit, Kitty, Lambert, Laura, Laurence, Lauretta, Lawrence, Lazarus, Leila, Leo, Leonard, Leonora, Leopold, Lesley, Leslie, Lew, Lewie, Lewis, Lillian, Lily, Linda, Lionel, Liz, Liza, Lizzie, Louie, Louis, Louisa, Louise, Lucas, Lucy, Luke, Mabel, Madeleine, Madge , Mag, Maggie, Magnus, Malcolm, Mamie, Marcus, Margaret, Margery, Margie, Maria, Marian, Marianne, Marina, Marion, Marjory, Mark, Martha, Martin, Mary, Mat, Matilda, Mathilda, Matthew, Matthias, Matty, Maud, Maude, Maurice, Max, Maximilian, May, Meg, Meggy, Mercy, Meredith, Michael, Micky, Mike, Mildred, Millie, Mima, Minna, Minnie, Mirabel, Miranda, Miriam, Moll, Molly, Monica, Montague, Montagu, Monty, Morgan, Morris, Mortimer, Moses, Muriel, Nance, Nancy, Nannie, Nanny, Nat, Natalia, Natalie, Nathan, Nathaniel, Ned, Neddie, Neddy, Nell, Nellie, Nelly, Net, Nettie, Netty, Neville, Nicholas, Nik, Nikola, Nina, Ninette, Ninon, Noah, Noel, Noll, Nolly, Nora, Norman, Odette, Olive, Oliver, Olivia, Ophelia, Oscar, Osmond, Osmund, Oswald, Ottilia, Owen, Paddy, Pat, Patricia, Patrick, Patty, Paul, Paula, Paulina, Pauline, Peg, Peggy, Pen, Penelope, Penny, Persy, Pete, Peter, Phil, Philip, Pip, Pius, Pol, Polly, Portia, Rachel, Ralph, Ranald, Randolph, Raphael, Rasmus, Ray, Raymond, Rebecca, Reg, Reggie, Reginald, Reynold, Richard, Rita, Rob, Robbie, Robert, Robin, Roddy, Roderick, Rodney, Roger, Roland, Rolf, Romeo, Ronald, Rosa, Rosabel, Rosabella, Rosalia, Rosalie, Rosalind, Rosaline, Rosamond, Rosamund, Rose, Rosemary, Rowland, Roy, Rudolf, Rudolph, Rupert, Ruth, Sadie, Sal, Sally, Salome, Sam, Sammy, Sampson, Samson, Samuel, Sanders, Sandy, Sarah, Sara, Saul, Sebastian, Septimus, Sibil, Sibyl, Sibylla, Sidney, Siegfried, Silas, Silvester, Silvia, Sim, Simeon, Simmy, Simon, Sol, Solly, Solomon, Sophia, Sophie, Sophy, Stanislas, Stanislaus, Stanley, Stella, Stephana, Stephanie, Stephen, Steve, Sue, Susan, Susanna, Susannah, Susie, Susy, Sylvester, Sylvia, Ted, Teddy, Terry, Tessa, Theobald, Theodora, Theodore, Theresa, Teresa, Thomas, Tib, Tibbie, Tilda, Tilly, Tim, Timothy, Tina, Tobias, Toby, Tom, Tommy, Tony, Tristan, Trudy, Tybalt, Valentine, Veronica, Victor, Victoria, Vincent, Viola, Violet, Virginia, Vivian, Vivien, Wallace, Walt, Walter, Wat, Watty, Wilfred, Wilfrid, Will, William, Willy, Win, Winifred, Winnie

Sender surnames:

Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore, Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia, Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, Young, Hernandez, King, Wright, Lopez, Hill, Scott, Green, Adams, Baker, Gonzalez, Nelson, Carter, Mitchell, Perez, Roberts, Turner, Phillips, Campbell, Parker, Evans, Edwards, Collins, Stewart, Sanchez, Morris, Rogers, Reed, Cook, Morgan, Bell, Murphy, Bailey, Rivera, Cooper, Richardson, Cox, Howard, Ward, Torres, Peterson, Gray, Ramirez, James, Watson, Brooks, Kelly, Sanders, Price, Bennett, Wood, Barnes, Ross, Henderson, Coleman, Jenkins, Perry, Powell, Long, Patterson, Hughes, Flores, Washington, Butler, Simmons, Foster, Gonzales, Bryant, Alexander, Russell, Griffin, Diaz, Hayes, Myers, Ford, Hamilton, Graham, Sullivan, Wallace, Woods, Cole, West, Jordan, Owens, Reynolds, Fisher, Ellis, Harrison, Gibson, Mcdonald, Cruz, Marshall, Ortiz, Gomez, Murray, Freeman, Wells, Webb, Simpson, Stevens, Tucker, Porter, Hunter, Hicks, Crawford, Henry, Boyd, Mason, Morales, Kennedy, Warren, Dixon, Ramos, Reyes, Burns, Gordon, Shaw, Holmes, Rice, Robertson, Hunt, Black, Daniels, Palmer, Mills, Nichols, Grant, Knight, Ferguson, Rose, Stone, Hawkins, Dunn, Perkins, Hudson, Spencer, Gardner, Stephens, Payne, Pierce, Berry, Matthews, Arnold, Wagner, Willis, Ray, Watkins, Olson, Carroll, Duncan, Snyder, Hart, Cunningham, Bradley, Lane, Andrews, Ruiz, Harper, Fox, Riley, Armstrong, Carpenter, Weaver, Greene, Lawrence, Elliott, Chavez, Sims, Austin, Peters, Kelley, Franklin, Lawson, Fields, Gutierrez, Ryan, Schmidt, Carr, Vasquez, Castillo, Wheeler, Chapman, Oliver, Montgomery, Richards, Williamson, Johnston, Banks, Meyer, Bishop, Mccoy, Howell, Alvarez, Morrison, Hansen, Fernandez, Garza, Harvey, Little, Burton, Stanley, Nguyen, George, Jacobs, Reid, Kim, Fuller, Lynch, Dean, Gilbert, Garrett, Romero, Welch, Larson, Frazier, Burke, Hanson, Day, Mendoza, Moreno, Bowman, Medina, Fowler, Brewer, Hoffman, Carlson, Silva, Pearson, Holland, Douglas, Fleming, Jensen, Vargas, Byrd, Davidson, Hopkins, May, Terry, Herrera, Wade, Soto, Walters, Curtis, Neal, Caldwell, Lowe, Jennings, Barnett, Graves, Jimenez, Horton, Shelton, Barrett, Obrien, Castro, Sutton, Gregory, Mckinney, Lucas, Miles, Craig, Rodriquez, Chambers, Holt, Lambert, Fletcher, Watts, Bates, Hale, Rhodes, Pena, Beck, Newman, Haynes, Mcdaniel, Mendez, Bush, Vaughn, Parks, Dawson, Santiago, Norris, Hardy, Love, Steele, Curry, Powers, Schultz, Barker, Guzman, Page, Munoz, Ball, Keller, Chandler, Weber, Leonard, Walsh, Lyons, Ramsey, Wolfe, Schneider, Mullins, Benson, Sharp, Bowen, Daniel, Barber, Cummings, Hines, Baldwin, Griffith, Valdez, Hubbard, Salazar, Reeves, Warner, Stevenson, Burgess, Santos, Tate, Cross, Garner, Mann, Mack, Moss, Thornton, Dennis, Mcgee, Farmer, Delgado, Aguilar, Vega, Glover, Manning, Cohen, Harmon, Rodgers, Robbins, Newton, Todd, Blair, Higgins, Ingram, Reese, Cannon, Strickland, Townsend, Potter, Goodwin, Walton, Rowe, Hampton, Ortega, Patton, Swanson, Joseph, Francis, Goodman, Maldonado, Yates, Becker, Erickson, Hodges, Rios, Conner, Adkins, Webster, Norman, Malone, Hammond, Flowers, Cobb, Moody, Quinn, Blake, Maxwell, Pope, Floyd, Osborne, Paul, Mccarthy, Guerrero, Lindsey, Estrada, Sandoval, Gibbs, Tyler, Gross, Fitzgerald, Stokes, Doyle, Sherman, Saunders, Wise, Colon, Gill, Alvarado, Greer, Padilla, Simon, Waters, Nunez, Ballard, Schwartz, Mcbride, Houston, Christensen, Klein, Pratt, Briggs, Parsons, Mclaughlin, Zimmerman, French, Buchanan, Moran, Copeland, Roy, Pittman, Brady, Mccormick, Holloway, Brock, Poole, Frank, Logan, Owen, Bass, Marsh, Drake, Wong, Jefferson, Park, Morton, Abbott, Sparks, Patrick, Norton, Huff, Clayton, Massey, Lloyd, Figueroa, Carson, Bowers, Roberson, Barton, Tran, Lamb, Harrington, Casey, Boone, Cortez, Clarke, Mathis, Singleton, Wilkins, Cain, Bryan, Underwood, Hogan, Mckenzie, Collier, Luna, Phelps, Mcguire, Allison, Bridges, Wilkerson, Nash, Summers, Atkins, Wilcox, Pitts, Conley, Marquez, Burnett, Richard, Cochran, Chase, Davenport, Hood, Gates, Clay, Ayala, Sawyer, Roman, Vazquez, Dickerson, Hodge, Acosta, Flynn, Espinoza, Nicholson, Monroe, Wolf, Morrow, Kirk, Randall, Anthony, Whitaker, Oconnor, Skinner, Ware, Molina, Kirby, Huffman, Bradford, Charles, Gilmore, Dominguez, Oneal, Bruce, Lang, Combs, Kramer, Heath, Hancock, Gallagher, Gaines, Shaffer, Short, Wiggins, Mathews, Mcclain, Fischer, Wall, Small, Melton, Hensley, Bond, Dyer, Cameron, Grimes, Contreras, Christian, Wyatt, Baxter, Snow, Mosley, Shepherd, Larsen, Hoover, Beasley, Glenn, Petersen, Whitehead, Meyers, Keith, Garrison, Vincent, Shields, Horn, Savage, Olsen, Schroeder, Hartman, Woodard, Mueller, Kemp, Deleon, Booth, Patel, Calhoun, Wiley, Eaton, Cline, Navarro, Harrell, Lester, Humphrey, Parrish, Duran, Hutchinson, Hess, Dorsey, Bullock, Robles, Beard, Dalton, Avila, Vance, Rich, Blackwell, York, Johns, Blankenship, Trevino, Salinas, Campos, Pruitt, Moses, Callahan, Golden, Montoya, Hardin, Guerra, Mcdowell, Carey, Stafford, Gallegos, Henson, Wilkinson, Booker, Merritt, Miranda, Atkinson, Orr, Decker, Hobbs, Preston, Tanner, Knox, Pacheco, Stephenson, Glass, Rojas, Serrano, Marks, Hickman, English, Sweeney, Strong, Prince, Mcclure, Conway, Walter, Roth, Maynard, Farrell, Lowery, Hurst, Nixon, Weiss, Trujillo, Ellison, Sloan, Juarez, Winters, Mclean, Randolph, Leon, Boyer, Villarreal, Mccall, Gentry, Carrillo, Kent, Ayers, Lara, Shannon, Sexton, Pace, Hull, Leblanc, Browning, Velasquez, Leach, Chang, House, Sellers, Herring, Noble, Foley, Bartlett, Mercado, Landry, Durham, Walls, Barr, Mckee, Bauer, Rivers, Everett, Bradshaw, Pugh, Velez, Rush, Estes, Dodson, Morse, Sheppard, Weeks, Camacho, Bean, Barron, Livingston, Middleton, Spears, Branch, Blevins, Chen, Kerr, Mcconnell, Hatfield, Harding, Ashley, Solis, Herman, Frost, Giles, Blackburn, William, Pennington, Woodward, Finley, Mcintosh, Koch, Best, Solomon, Mccullough, Dudley, Nolan, Blanchard, Rivas, Brennan, Mejia, Kane, Benton, Joyce, Buckley, Haley, Valentine, Maddox, Russo, Mcknight, Buck, Moon, Mcmillan, Crosby, Berg, Dotson, Mays, Roach, Church, Chan, Richmond, Meadows, Faulkner, Oneill, Knapp, Kline, Barry, Ochoa, Jacobson, Gay, Avery, Hendricks, Horne, Shepard, Hebert, Cherry, Cardenas, Mcintyre, Whitney, Waller, Holman, Donaldson, Cantu, Terrell, Morin, Gillespie, Fuentes, Tillman, Sanford, Bentley, Peck, Key, Salas, Rollins, Gamble, Dickson, Battle, Santana, Cabrera, Cervantes, Howe, Hinton, Hurley, Spence, Zamora, Yang, Mcneil, Suarez, Case, Petty, Gould, Mcfarland, Sampson, Carver, Bray, Rosario, Macdonald, Stout, Hester, Melendez, Dillon, Farley, Hopper, Galloway, Potts, Bernard, Joyner, Stein, Aguirre, Osborn, Mercer, Bender, Franco, Rowland, Sykes, Benjamin, Travis, Pickett, Crane, Sears, Mayo, Dunlap, Hayden, Wilder, Mckay, Coffey, Mccarty, Ewing, Cooley, Vaughan, Bonner, Cotton, Holder, Stark, Ferrell, Cantrell, Fulton, Lynn, Lott, Calderon, Rosa, Pollard, Hooper, Burch, Mullen, Fry, Riddle, Levy, David, Duke, Odonnell, Guy, Michael, Britt, Frederick, Daugherty, Berger, Dillard, Alston, Jarvis, Frye, Riggs, Chaney, Odom, Duffy, Fitzpatrick, Valenzuela, Merrill, Mayer, Alford, Mcpherson, Acevedo, Donovan, Barrera, Albert, Cote, Reilly, Compton, Raymond, Mooney, Mcgowan, Craft, Cleveland, Clemons, Wynn, Nielsen, Baird, Stanton, Snider, Rosales, Bright, Witt, Stuart, Hays, Holden, Rutledge, Kinney, Clements, Castaneda, Slater, Hahn, Emerson, Conrad, Burks, Delaney, Pate, Lancaster, Sweet, Justice, Tyson, Sharpe, Whitfield, Talley, Macias, Irwin, Burris, Ratliff, Mccray, Madden, Kaufman, Beach, Goff, Cash, Bolton, Mcfadden, Levine, Good, Byers, Kirkland, Kidd, Workman, Carney, Dale, Mcleod, Holcomb, England, Finch, Head, Burt, Hendrix, Sosa, Haney, Franks, Sargent, Nieves, Downs, Rasmussen, Bird, Hewitt, Lindsay, Foreman, Valencia, Oneil, Delacruz, Vinson, Dejesus, Hyde, Forbes, Gilliam, Guthrie, Wooten, Huber, Barlow, Boyle, Mcmahon, Buckner, Rocha, Puckett, Langley, Knowles, Cooke, Velazquez, Whitley, Noel, Vang, Shea, Rouse, Hartley, Mayfield, Elder, Rankin, Hanna, Cowan, Lucero, Arroyo, Slaughter, Haas, Oconnell, Minor, Kendrick, Shirley, Kendall, Boucher, Archer, Boggs, Odell, Dougherty, Andersen, Newell, Crowe, Wang, Friedman, Bland, Swain, Holley, Felix, Pearce, Childs, Yarbrough, Galvan, Proctor, Meeks, Lozano, Mora, Rangel, Bacon, Villanueva, Schaefer, Rosado, Helms, Boyce, Goss, Stinson, Smart, Lake, Ibarra, Hutchins, Covington, Reyna, Gregg, Werner, Crowley, Hatcher, Mackey, Bunch, Womack, Polk, Jamison, Dodd, Childress, Childers, Camp, Villa, Dye, Springer, Mahoney, Dailey, Belcher, Lockhart, Griggs, Costa, Connor, Brandt, Winter, Walden, Moser, Tracy, Tatum, Mccann, Akers, Lutz, Pryor, Law, Orozco, Mcallister, Lugo, Davies, Shoemaker, Madison, Rutherford, Newsome, Magee, Chamberlain, Blanton, Simms, Godfrey, Flanagan, Crum, Cordova, Escobar, Downing, Sinclair, Donahue, Krueger, Mcginnis, Gore, Farris, Webber, Corbett, Andrade, Starr, Lyon, Yoder, Hastings, Mcgrath, Spivey, Krause, Harden, Crabtree, Kirkpatrick, Hollis, Brandon, Arrington, Ervin, Clifton, Ritter, Mcghee, Bolden, Maloney, Gagnon, Dunbar, Ponce, Pike, Mayes, Heard, Beatty, Mobley, Kimball, Butts, Montes, Herbert, Grady, Eldridge, Braun, Hamm, Gibbons, Seymour, Moyer, Manley, Herron, Plummer, Elmore, Cramer, Gary, Rucker, Hilton, Blue, Pierson, Fontenot, Field, Rubio, Grace, Goldstein, Elkins, Wills, Novak, John, Hickey, Worley, Gorman, Katz, Dickinson, Broussard, Fritz, Woodruff, Crow, Christopher, Britton, Forrest, Nance, Lehman, Bingham, Zuniga, Whaley, Shafer, Coffman, Steward, Delarosa, Nix, Neely, Numbers, Mata, Manuel, Davila, Mccabe, Kessler, Emery, Bowling, Hinkle, Welsh, Pagan, Goldberg, Goins, Crouch, Cuevas, Quinones, Mcdermott, Hendrickson, Samuels, Denton, Bergeron, Lam, Ivey, Locke, Haines, Thurman, Snell, Hoskins, Byrne, Milton, Winston, Arthur, Arias, Stanford, Roe, Corbin, Beltran, Chappell, Hurt, Downey, Dooley, Tuttle, Couch, Payton, Mcelroy, Crockett, Groves, Clement, Leslie, Cartwright, Dickey, Mcgill, Dubois, Muniz, Erwin, Self, Tolbert, Dempsey, Cisneros, Sewell, Latham, Garland, Vigil, Tapia, Sterling, Rainey, Norwood, Lacy, Stroud, Meade, Amos, Tipton, Lord, Kuhn, Hilliard, Bonilla, Teague, Courtney, Gunn, Greenwood, Correa, Reece, Weston, Poe, Trent, Pineda, Phipps, Frey, Kaiser, Ames, Paige, Gunter, Schmitt, Milligan, Espinosa, Carlton, Bowden, Vickers, Lowry, Pritchard, Costello

Sender emails names:

2821321211, 3dbeckypascal, 3dbelvyra, 3dbesperat, 687892066, 688609982, 688822086, 734838907, 734849353, 734899629, 734904846, 734924950, 734987110, 735040266, 735073874, 735076699, 735109047, 735116627, aausland, aavant, abuse, admin, afulghum, ajackson, ajacobs, alexdim, alfonso.masana, alt, amr_mail, andreys, arnie, asmith, babineau, badea633, bcombs, bdorio, ben, bereketboss, bhollern, bill.pyle, bingo, blizzard, blj, bljl, bo.xu, bob.cowles, bobnsteph2002, bobnsue, boxsters, butlerje76, cbeard, cburns, cffmb, cffresh, cheffyvee, eAgC, chefholland2000, chrisbolling2, chrisbond, dN1C, cindy, cindybob, clement, coenieza, copeland, copy, craigcornelius, daarthur, daassist, daniels.ochieng, danielsnjl, davebelize, davison, devil_chua, dhill, djpack, djpappas, doorboss, dturman, dyim, ekanto, erik, erik.toernqvist, erik.ullman, evgen, fanli, ffletcher, flynhiva, flynn2525, fran, fran.morrow, fun, fushenyu, genemau, ghost, gregory, gregory.larsen, gregory_leonard, gregoryl, ham1mer, ham39980, henning, hitman, hitmandrock, hugo.callens, hugocasta, indima, indio, indiog, info, inge.bergvall, insomnia, itv, ivan69, j.beder, jaimeh, jaimeh_1, jbedell, jdesroche, jeng_daniel, jiayongl, jim_brows, jimbruce, johan, johan.segolsson, johan_segergren, johnston, jokre1, jscha, aiKC, jyhbc, jyhhann, jyhwu, karen.loalbo, karl.vang, karlvail, kchau, kennth.ross, kenny10, kjheon, kjhinson, kjia_min999, knwen, kreinert3, lararj, len.krukowski, len_krukowski, liangbingmeiluo, liangbo_daqing, lisa.morgan, lpaterson, lpatterson, lpatton, m.socrates, mabat-pi, mail, major, mary, mary_addor, matrosov, maureenr52, mbyrne, mef, mefuho, mfischer, mfischette, michaels, mikeli, mlmurga, monaya, mpope, nancym, nhl, nhlxkis, nick, nlrz, novak, office, olis, omarsns, on.coltd, paralyn, paulg, pdns.sic.gov.cn, peter.huet, peter.huetter, peterk, peterkenyon, popcornjim, postmaster, povilasj, protain, radka.krkoskova, raul.m.rebelo, rdb, rdbeers, reman, ricky.dover, rickyd, rickydbcat, rlbrooks, robertsh, rogerssteve, rolf, roselyn494, rothwiler, rsvp, rxh6, ryancho0, s.pryor, s.vrabac, sales, salesny, sannyposh, sano, sano_aku, sano_kazuya, sanobrjb, sanoli2, sanoman, sdb, sdbdek, sergey, sgold, shafia, shafie, shimoneli, simler, skepplanda.btk, smith98123q, smithj, sono1pera, sonoda, ssoja, stanislav.antic, steve, stroud, superslog, ta7mlms, takahashi.yuh, takahata, takahide, takahiro_hiroi, teri_kirkland, the.one, theonedjmantis, tim, tlameta_sione, tmalburg, tmaley, tmalfred, travasik, tsiler, vag_serv, vespasianius, vivian, waddah, waddell, waddellbianca, webmaster, webmaster.video, whualei, whuang, wlq304, wspieth, wv_office, wvlfy, yourname, yuanweiw, yuill9

Referrers:

2911.net, 3hotels.com, 80canal.com, acspg.com, adkrealty.com, adwise.com, aerovox.com, airhammer.cz, alshaya.com, amega.com, aral.ru, arlee.com, m7oC, asser.nl, attglobal.net, aumlee.co.kr, axa.de, bahur.com, berg.se, bhs.umn.edu, bii.ne.jp, billcollier.com, bls.gov, boisdarcy.fr, bpsolvaype.com, bra.ops-oms.org, bridgeway.org, cam.nist.gov, canadapost.ca, chi.osu.edu, china89.com, cityscape.co.uk, cnaf.infn.it, codetel.net.do, connectnet.com, cookn.com, coptech.com.au, cpsurvey.com, cwrsi.com, dafo.com, db.erau.edu, dho.edu.tr, dotnet.com, elumina.com.au, emigration.ch, emss.dn.ua, epm.net.co, es-krs.ru, evn.com.vn, fazenda.gov.br, freemail.hu, freetelecom.fr, gae.co.id, gbronline.com, ggemory.com, gilde.nl, gl.umbc.edu, gmcc.net, gst.com, gtec.com, guest.arnes.si, henkel.com, henrymargu.com, hn.vnn.vn, hostgym.com, hotelfunds.org, hwpalaw.com, hypo.si, ien.ru, ilm.com, infomos.ru, insdata.sk, issendis.com, jci.com, jlonline.com, jobscope.com, kalgold.com.au, kaplan.com, kason.com, kelner.com, klock.us, kpmg.com, laindia.com, ldsco.com, letterwerk.com, lonelyfire.com, lovell.com, lv.parnu.ee, magmtg.com, mail.e-burg.ru, mail.kz, mail2kuwait.com, mas.gov.sg, mcg-pyle.com, mediaone.net, mibas.ru, microfilm.com, micromech.ru, mos.ru, movere.be, e5ZC, mweb.co.zw, myrealbox.com, nabi.com, nasd.com, nethercargo.com, netxi.com, nl.rogers.com, nordlys.no, notariato.it, nttcom.co.jp, ocbc.com.my, ohmcraft.com, olysigns.com, osca.net, ottaway.com, pantrywoman.com, passagen.se, pbcards.dp.ua, pcc.edu, u%EoC, peakpeak.net, phonecoinc.com, po.cwru.edu, polarnet.ru, ppspc.com, prohest.com, prospur.co.za, quintiles.com, rada.ac.uk, redrock.net, regentcomm.com, regio.net, registru.md, reynoldshrc.com, rffager.com, risd.edu, rsd.k12.az.us, s-cubed.net, _subsbcglobal.net, scf.cc, screaming.net, segctopo.fr, sesnet.com, smart-com.si, st.com, stahlratte.de, starnursery.com, submatic.com, wdersubvention.info, syciplaw.com, talkie.com, tctwest.net, team4.nl, tjc.co.in, triangolo.it, trrlaw.com, tvol.it, unpunk.com, up.com, upaf.org, valasenkanot.se, visir.is, wagner.ru, walkerfoods.com, webmail.co.za, west.net, westriv.com, wtd.net, xinhuanet.com, yahoo.com, yahoo.com.hk, yourq.com

We found the email addresses used to send spam:

(12 emails)@gmail.com
(21 emails)@rickhr.com
(974 emails)@datingbase.qpoe.com
etc.

Also it harvests files from a user computer but excludes the following types:

avi mov wmv mp3 wave wav wma ogg vob png jpg jpeg gif bmp exe dll ocx class msi zip 7z rar jar gz hxw hxh hxn hxd

The email subjects are typical for spam and advertise mostly job opportunities, drugs forums and Viagra pills:

Find the job that's right for you.
Job
Job NEW!
Job-Part-Time
Work-Part-Time
Vacancy
Vacancy NEW!
Offer
Offer NEW!
Job Offer
Job Offer NEW!
Job Vacancy
Part-time Work
Part-time Job
Vacancies
Vacancies NEW!
Job Position
Open Vacancies
New Job
New Work
New Vacancy
New Offer
New Job Offer
New Job Vacancy
Salary 2600 EUR
Job! Part-time! Stable Salary!
Work! Part-time! Salary!
Work In The Company
Work In The Company NEW!
Work In The Marketing Company
Vacancy! Part-Time!
Job Vacancy NEW!
Part-time Work NEW!
Employment opportunity.
Build a Better Career.
Find your calling.
Launch your career.
Looking for jobs?
Great career opportunities.
Find your dream job!
Conteste a la nueva proposicion de trabajo en el departamento de Finanzas para
Respuesta a una nueva invitacion de trabajo en el departamento de Finanzas para
Respuesta a una nueva incitacion de trabajo en Atencion al cliente
La respuesta a un trabajo solicitado para
Wir suchen Mitarbeiter in Deutschland.Stelle Manager fur den Vertrieb von Waren.
Stellenangebot Manager in Deutschland.

Legal drugs shops
Legal drugs forum
Powders, pills, smoking blends
Synthetic drugs forum
Pure DMAA Powder forum
Forum about Blast Off Natural Party Powder
Forum about JWH, Naphyrone, 5-IAI and more
Forum about Powders, pills, smoking blends
Blast Off Natural Party Powder forum
JWH, Naphyrone, 5-IAI and more forum

The only method to energize your love life
Time for great nights with your female partner
Very good method to regain your intimate life
Outstanding solution for your intimate life
It helps to forget about male problems
Do you wish to surprise your woman tonight?
The only method to energize your loving life
Keep your lover entertained every night
The only technique to unleash your love life
You'll be good in bed
The truth about potence
Do you desire to become huge for women?
Do you wish to please your lady tonight?
Do you wish to surprise your gf tonight?
Be yourself, act brilliant in bed
She will be impressed by your strength
Do you want to see her happy this night?
Do you wish to gratify your babe this night?
Do you wish to satisfy your wife at night?
The only method to enhance your intimate life
You'll be the girl's idol
Feel the joy of ultimate life
Ancient secret of nonstop nights of pleasure
Kindle your impulse to the limit
Herbal Highs forum
She will stay amazed by your potency
Do you wish to surprise your gf tonight?

To avoid being banned, the backdoor specifies different User Agents in the http requests:

Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
Microsoft Internet Explorer/1.0 (Windows 95)

Nonetheless, when connecting to public smtp servers we discovered it has been blocked.

Part 4. Password Stealer

As mentioned earlier, the malware searches FTP, SFTP, WebDAV installed clients for confidential information. In the latest version we see new target applications: Windows Commander, Bitcoin wallet and WinSCP 2:

32bit FTP
BitKinex
BulletProof FTP Client 2009
BulletProof FTP Client 2010
ClassicFTP
COREFTP
CuteFTP
CuteFTP Pro
CuteFTP Lite
CuteFTP 6 Home
CuteFTP 6 Professional
CuteFTP 7 Home
CuteFTP 7 Professional
CuteFTP 8 Home
CuteFTP 8 Professional
Directory Opus
FAR Manager FTP
FFFTP
FileZilla
FlashFXP 3
FlashFXP 4
Frigate3 FTP
FTPClient
pFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander
FTPCON
FTP Explorer
FTPRush
LEAPFTP
NetDrive
Total Commander FTP
TurboFTP
SoftX FTP Client
SmartFTP
WebSitePublisher
WebDrive
Windows Commander
Bitcoin\wallet.dat
WinSCP 2

Using the “winpcap 4.1.0.1753” network sniffing module, the backdoor search usernames and passwords in traffic directed to destination ports 21, 110 and 25:

( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25)

The same strings are used to extract data in the new version:

USER PASS PUT ONNECT Authorization Basic AUTH PLAIN ftp http smtp pop3 pop3 smtp @

The backdoor optionally may start a Proxy-Server on an infected computer to reinforce a zombie army of Kelihos.

Conclusions

• The new versions of Kelihos have been appearing until now with enhanced backdoor functionality despite attempts to shutdown it by Microsoft and Kaspersky Lab.
• Kelihos P2P architecture and fast-flux domains make the botnet almost invulnerable to the counteracting measures undertaken by the security industry.
• The peers can play different roles in the botnet, such as: spam-bot, fast-flux proxy-bot, C&C proxy-bot.
• The majority of bots are located in Ukraine while at the same time all domains have been registered with the help of the Russian registrar.
• Advanced protection mechanism of backdoor’s data complicates the analysis of its functionality and communication protocol.
• Newly created backdoor samples have a low detection rate by the majority of AV scanners due to the compression and encrypting techniques being applied.