206:
132:
The email was allegedly from the US Federal
Reserve, saying something about restrictions in "U.S. Federal Wire and ACH online payments." Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus,
177:
botnet, where individual botnet nodes are capable of acting as command-and-control servers for the entire botnet. In traditional non-peer-to-peer botnets, all the nodes receive their instructions and "work" from a limited set of servers – if these servers are removed or taken down, the botnet
93:
In
January 2012 a new version of the botnet was discovered, one sometimes referred to as Kelihos.b or Version 2, consisting of an estimated 110,000 infected computers. During this same month Microsoft pressed charges against Russian citizen Andrey Sabelnikov, a former IT security professional, for
109:
Following the shutdown of the second version of the botnet, a new version surfaced as early as April 2nd, though there is some disagreement between research groups whether the botnet is simply the remnants of the disabled
Version 2 botnet, or a new version altogether. This version of the botnet
128:
Earlier today, a very large scale
Kelihos botnet event occurred - by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn't an unusual thing normally, the CBL/XBL has been
201:
links to users in order to infect them with a Trojan horse, though later versions mostly propagate over social network sites, in particular through
Facebook. A more comprehensive list of the Kelihos spam can be found in the following research paper.
152:
allegedly ran the
Kelihos botnet under the alias "Severa", renting out access to spammers and other cybercriminals. But despite Levashov's significant efforts at anonymity, court records show that federal agents had been surveilling his
178:
will no longer receive instructions and will therefore effectively shut down. Peer-to-peer botnets seek to mitigate that risk by allowing every peer to send instructions to the entire botnet, thus making it more difficult to shut down.
238:, when he was arrested by Spanish authorities based upon a criminal complaint and arrest warrant issued in the United States District of Connecticut. On 3 February 2018, he pleaded not guilty to the charges of
110:
currently consists of an estimated 70,000 infected computers. The
Kelihos.c version mostly infects computers through Facebook by sending users of the website malicious download links. Once clicked, a
903:
746:
590:
157:
account since 20 May 2016, funneling back crucial information that may have led to his arrest. The standing federal iCloud warrant would have given authorities a running tab of
82:
took down the botnet in an operation codenamed "Operation b79". At the same time, Microsoft filed civil charges against
Dominique Alexander Piatti, dotFREE Group SRO and 22
467:
90:
that were used by the botnet. These charges were later dropped when
Microsoft determined that the named defendants did not intentionally aid the botnet controllers.
534:
402:
562:
234:, 37, also known as Pyotr Levashov, Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, was detained on 7 April 2017 in
1369:
780:
1054:
140:
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.″
251:
836:
754:
247:
219:
926:
1099:
692:
718:
664:
503:
872:
636:
477:
313:
999:
618:
243:
436:
410:
898:
1364:
952:
106:
it – a technique which gave the companies control over the botnet while cutting off the original controllers.
1027:
115:
1343:
111:
68:
165:, and was arrested at the request of US law enforcement and extradited to the United States for prosecution.
121:
On 24 November 2015 a
Kelihos botnet event occurred causing widespread false positives of blacklisted IPs:
348:
1137:
1092:
205:
1338:
808:
669:
239:
897:
Grizzard, Julian; David Dagon; Vikram Sharma; Chris Nunnery; Brent ByungHoon Kang (3 April 2007).
1328:
508:
1374:
1318:
1277:
612:
567:
539:
282:
186:
32:
129:
successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
1379:
1333:
1298:
1085:
781:"CrowdStrike researchers deny that Kelihos has spawned a new version – SC Magazine UK"
376:
1212:
1202:
1147:
161:
used to log in to the account, which could easily have tipped them off to his vacation in
1303:
1282:
1272:
1227:
1217:
1152:
1004:
353:
277:
231:
149:
60:
1358:
1308:
1242:
1207:
1197:
1192:
1162:
1132:
472:
1313:
1247:
1222:
1167:
813:
641:
595:
174:
103:
52:
197:
bitcoins itself. Its spam capacity allows the botnet to spread itself by sending
1172:
1059:
785:
377:"New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?"
272:
255:
227:
64:
978:
158:
145:
95:
87:
1267:
1157:
235:
162:
79:
51:. Researchers originally suspected having found a new version of either the
719:"Accused Kelihos botnet maker worked for two security firms | ITworld"
67:
of the bot, but analysis of the botnet showed it was instead a new, 45,000-
873:"Feds tracked down Russian spam kingpin with help from his iCloud account"
1237:
1187:
1142:
83:
1323:
1177:
723:
287:
258:. He remains in detention. In September 2018, Levashov pleaded guilty.
198:
194:
190:
56:
36:
230:
on charges stemming from his alleged operation of the Kelihos botnet.
1257:
1232:
1108:
267:
154:
134:
86:
defendants for suspected involvement in the botnet for issuing 3,700
28:
1055:"Russian man pleads guilty, admits he ran notorious Kelihos botnet"
693:"Microsoft suspects ex-antivirus worker of Kelihos botnet creation"
1262:
1252:
1127:
223:
204:
71:-computer-strong botnet that was capable of sending an estimated
837:"Kelihos Botnet Re-emerges, This Time Attacking Social Networks"
747:"Kaspersky Knocks Down Kelihos Botnet Again, But Expects Return"
441:
318:
182:
1081:
563:"Operation b79 (Kelihos) and Additional MSRT September Release"
535:"Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case"
1122:
983:
Annual ADFSL Conference on Digital Forensics, Security and Law
809:"Kelihos zombies erupt from mass graves after botnet massacre"
591:"Microsoft drops Kelihos botnet allegations against ISP owner"
148:
unexpected role in bringing the Russian spam king to justice.
189:, while version two of the botnet added the ability to steal
114:
named Fifesoc is downloaded, which turns the computer into a
254:
after appearing before a federal judge in the U.S. state of
222:
announced that a Russian national has been extradited from
98:. The second version of the botnet itself was shut down in
1077:
1028:"Alleged Operator of Kelihos Botnet Extradited From Spain"
1000:"Russian accused of running spam network extradited to US"
927:"Security Companies Take Down Kelihos Botnet of Version 2"
860:
904:
The Johns Hopkins University Applied Physics Laboratory
181:
The first version of the botnet was mainly involved in
977:
Arora, Arsh; Gannon, Max; Warner, Gary (15 May 2017).
665:"Second Kelihos botnet downed, 116,000 machines freed"
468:"Kelihos botnet, once crippled, now gaining strength"
1291:
1115:
504:"Security Firms Disable the Second Kelihos Botnet"
144:An affidavit unsealed on 5 February 2018, showed
953:"Kelihos Botnet Could Resurge via Facebook Worm"
94:being the alleged creator of the Kelihos Botnet
899:"Peer-to-Peer Botnets: Overview and Case Study"
599:. Archived from the original on 30 October 2011
47:The Kelihos botnet was first discovered around
637:"Microsoft Says Ex-Antivirus Maker Ran Botnet"
403:"Kelihos Returns: Same Botnet or New Version?"
125:″November 24, 2015 Widespread false positives
1093:
8:
630:
628:
497:
495:
349:"FAQ: Disabling the new Hlux/Kelihos Botnet"
314:"110,000 PC-strong Kelihos botnet sidelined"
994:
992:
528:
526:
1100:
1086:
1078:
774:
772:
209:U.S. v. Levashov Search Warrant (Unsealed)
437:"Microsoft halts another botnet: Kelihos"
342:
340:
338:
336:
533:Boscovich, Richard (27 September 2011).
430:
428:
307:
305:
303:
299:
610:
461:
459:
193:wallets, as well as a program used to
979:"Kelihos Botnet: A Never-Ending Saga"
635:Gonsalves, Antone (24 January 2012).
7:
1053:Farivar, Cyrus (13 September 2018).
502:Constantin, Lucian (28 March 2012).
102:by several privately owned firms by
589:Latif, Lawrence (27 October 2011).
435:Mills, Elinor (27 September 2011).
220:United States Department of Justice
59:botnet, due to similarities in the
835:SPAMfighter News (13 April 2012).
375:Adair, Steven (30 December 2010).
173:The Kelihos botnet is a so-called
14:
951:Jorgenson, Petra (6 April 2012).
717:Keizer, Gregg (24 January 2012).
691:Brewster, Tom (24 January 2012).
347:Ortloff, Stefan (28 March 2012).
745:Donohue, Brian (28 March 2012).
466:Kirk, Jeremy (1 February 2012).
401:Donohue, Brian (29 March 2012).
169:Structure, operations and spread
561:Microsoft (26 September 2011).
312:Mills, Elinor (28 March 2012).
118:, which is part of the botnet.
1370:Distributed computing projects
807:Leyden, John (29 March 2012).
1:
779:Raywood, Dan (2 April 2012).
663:Warren, Tom (29 March 2012).
925:SPAMfighter (5 April 2012).
1396:
617:: CS1 maint: unfit URL (
226:and will be arraigned in
183:denial-of-service attacks
232:Peter Yuryevich Levashov
218:On 2 February 2018, the
75:spam messages a day. In
861:http://www.abuseat.org
214:Arrest and extradition
210:
142:
133:most likely Dyreza or
208:
123:
1339:Operation: Bot Roast
240:wire and email fraud
480:on 5 September 2012
31:mainly involved in
1329:Man-in-the-browser
211:
1365:Internet security
1352:
1351:
1319:Internet security
1034:. 2 February 2018
1008:. 3 February 2018
568:Microsoft Technet
540:Microsoft TechNet
283:Internet security
35:and the theft of
1387:
1334:Network security
1299:Browser security
1102:
1095:
1088:
1079:
1072:
1071:
1069:
1067:
1050:
1044:
1043:
1041:
1039:
1024:
1018:
1017:
1015:
1013:
996:
987:
986:
974:
968:
967:
965:
963:
948:
942:
941:
939:
937:
922:
916:
915:
913:
911:
894:
888:
887:
885:
883:
869:
863:
858:
852:
851:
849:
847:
832:
826:
825:
823:
821:
804:
798:
797:
795:
793:
776:
767:
766:
764:
762:
757:on 12 April 2012
753:. Archived from
742:
736:
735:
733:
731:
714:
708:
707:
705:
703:
688:
682:
681:
679:
677:
660:
654:
653:
651:
649:
632:
623:
622:
616:
608:
606:
604:
586:
580:
579:
577:
575:
558:
552:
551:
549:
547:
530:
521:
520:
518:
516:
499:
490:
489:
487:
485:
476:. Archived from
463:
454:
453:
451:
449:
432:
423:
422:
420:
418:
409:. Archived from
398:
392:
391:
389:
387:
372:
366:
365:
363:
361:
344:
331:
330:
328:
326:
309:
163:Barcelona, Spain
101:
78:
74:
50:
23:, also known as
1395:
1394:
1390:
1389:
1388:
1386:
1385:
1384:
1355:
1354:
1353:
1348:
1287:
1116:Notable botnets
1111:
1106:
1076:
1075:
1065:
1063:
1052:
1051:
1047:
1037:
1035:
1032:www.justice.gov
1026:
1025:
1021:
1011:
1009:
998:
997:
990:
976:
975:
971:
961:
959:
957:Midsize Insider
950:
949:
945:
935:
933:
924:
923:
919:
909:
907:
896:
895:
891:
881:
879:
871:
870:
866:
859:
855:
845:
843:
834:
833:
829:
819:
817:
806:
805:
801:
791:
789:
778:
777:
770:
760:
758:
744:
743:
739:
729:
727:
716:
715:
711:
701:
699:
690:
689:
685:
675:
673:
662:
661:
657:
647:
645:
634:
633:
626:
609:
602:
600:
588:
587:
583:
573:
571:
560:
559:
555:
545:
543:
532:
531:
524:
514:
512:
501:
500:
493:
483:
481:
465:
464:
457:
447:
445:
434:
433:
426:
416:
414:
413:on 4 April 2012
400:
399:
395:
385:
383:
374:
373:
369:
359:
357:
346:
345:
334:
324:
322:
311:
310:
301:
296:
264:
216:
171:
99:
76:
72:
48:
45:
17:
16:Computer botnet
12:
11:
5:
1393:
1391:
1383:
1382:
1377:
1372:
1367:
1357:
1356:
1350:
1349:
1347:
1346:
1341:
1336:
1331:
1326:
1321:
1316:
1311:
1306:
1304:Computer virus
1301:
1295:
1293:
1289:
1288:
1286:
1285:
1280:
1275:
1270:
1265:
1260:
1255:
1250:
1245:
1240:
1235:
1230:
1225:
1220:
1215:
1210:
1205:
1200:
1195:
1190:
1185:
1180:
1175:
1170:
1165:
1160:
1155:
1150:
1145:
1140:
1135:
1130:
1125:
1119:
1117:
1113:
1112:
1107:
1105:
1104:
1097:
1090:
1082:
1074:
1073:
1045:
1019:
1005:Deutsche Welle
988:
969:
943:
917:
889:
864:
853:
827:
799:
768:
737:
709:
683:
655:
624:
581:
553:
522:
491:
455:
424:
393:
367:
354:Securelist.com
332:
298:
297:
295:
292:
291:
290:
285:
280:
278:Internet crime
275:
270:
263:
260:
248:identity theft
215:
212:
170:
167:
150:Peter Levashov
77:September 2011
61:modus operandi
44:
41:
21:Kelihos botnet
15:
13:
10:
9:
6:
4:
3:
2:
1392:
1381:
1378:
1376:
1373:
1371:
1368:
1366:
1363:
1362:
1360:
1345:
1342:
1340:
1337:
1335:
1332:
1330:
1327:
1325:
1322:
1320:
1317:
1315:
1312:
1310:
1309:Computer worm
1307:
1305:
1302:
1300:
1297:
1296:
1294:
1292:Main articles
1290:
1284:
1281:
1279:
1276:
1274:
1271:
1269:
1266:
1264:
1261:
1259:
1256:
1254:
1251:
1249:
1246:
1244:
1241:
1239:
1236:
1234:
1231:
1229:
1226:
1224:
1221:
1219:
1216:
1214:
1211:
1209:
1206:
1204:
1201:
1199:
1196:
1194:
1191:
1189:
1186:
1184:
1181:
1179:
1176:
1174:
1171:
1169:
1166:
1164:
1161:
1159:
1156:
1154:
1151:
1149:
1146:
1144:
1141:
1139:
1136:
1134:
1131:
1129:
1126:
1124:
1121:
1120:
1118:
1114:
1110:
1103:
1098:
1096:
1091:
1089:
1084:
1083:
1080:
1062:
1061:
1056:
1049:
1046:
1033:
1029:
1023:
1020:
1007:
1006:
1001:
995:
993:
989:
984:
980:
973:
970:
958:
954:
947:
944:
932:
928:
921:
918:
906:
905:
900:
893:
890:
878:
874:
868:
865:
862:
857:
854:
842:
838:
831:
828:
816:
815:
810:
803:
800:
788:
787:
782:
775:
773:
769:
756:
752:
748:
741:
738:
726:
725:
720:
713:
710:
698:
694:
687:
684:
672:
671:
666:
659:
656:
644:
643:
638:
631:
629:
625:
620:
614:
598:
597:
592:
585:
582:
570:
569:
564:
557:
554:
542:
541:
536:
529:
527:
523:
511:
510:
505:
498:
496:
492:
479:
475:
474:
473:Network World
469:
462:
460:
456:
444:
443:
438:
431:
429:
425:
412:
408:
404:
397:
394:
382:
378:
371:
368:
356:
355:
350:
343:
341:
339:
337:
333:
321:
320:
315:
308:
306:
304:
300:
293:
289:
286:
284:
281:
279:
276:
274:
271:
269:
266:
265:
261:
259:
257:
253:
249:
245:
241:
237:
233:
229:
225:
221:
213:
207:
203:
200:
196:
192:
188:
184:
179:
176:
168:
166:
164:
160:
156:
151:
147:
141:
138:
136:
130:
126:
122:
119:
117:
113:
107:
105:
97:
91:
89:
85:
81:
70:
66:
62:
58:
54:
49:December 2010
42:
40:
38:
34:
30:
26:
22:
1344:Trojan horse
1182:
1064:. Retrieved
1058:
1048:
1036:. Retrieved
1031:
1022:
1010:. Retrieved
1003:
982:
972:
960:. Retrieved
956:
946:
934:. Retrieved
930:
920:
908:. Retrieved
902:
892:
880:. Retrieved
876:
867:
856:
844:. Retrieved
840:
830:
818:. Retrieved
814:The Register
812:
802:
790:. Retrieved
784:
759:. Retrieved
755:the original
750:
740:
728:. Retrieved
722:
712:
700:. Retrieved
696:
686:
674:. Retrieved
668:
658:
646:. Retrieved
642:CRN Magazine
640:
601:. Retrieved
596:The Inquirer
594:
584:
572:. Retrieved
566:
556:
544:. Retrieved
538:
513:. Retrieved
507:
482:. Retrieved
478:the original
471:
446:. Retrieved
440:
415:. Retrieved
411:the original
406:
396:
384:. Retrieved
381:Shadowserver
380:
370:
358:. Retrieved
352:
323:. Retrieved
317:
217:
180:
175:peer-to-peer
172:
159:IP addresses
143:
139:
131:
127:
124:
120:
112:Trojan horse
108:
92:
46:
24:
20:
18:
1060:ArsTechnica
931:SPAMfighter
841:SPAMfighter
786:SC Magazine
273:E-mail spam
256:Connecticut
228:Connecticut
65:source code
1359:Categories
1278:ZeroAccess
1038:3 February
882:6 February
751:ThreatPost
407:Threatpost
294:References
252:conspiracy
187:email spam
104:sinkholing
100:March 2012
96:sourcecode
88:subdomains
1268:Vulcanbot
1158:Conficker
877:The Verge
670:The Verge
236:Barcelona
137:malware.
80:Microsoft
73:4 billion
1375:Spamming
1238:Slenfbot
1203:Mariposa
1188:Koobface
1148:Bredolab
1143:BASHLITE
962:29 April
936:28 April
910:28 April
846:28 April
820:28 April
792:29 April
761:28 April
730:28 April
702:28 April
676:28 April
648:28 April
613:cite web
603:28 April
574:28 April
546:28 April
515:28 April
484:28 April
448:28 April
417:28 April
386:28 April
325:28 April
262:See also
84:John Doe
69:infected
37:bitcoins
33:spamming
1380:Botnets
1324:Malware
1273:Waledac
1228:Rustock
1218:Metulji
1183:Kelihos
1178:Gumblar
1153:Cutwail
1109:Botnets
1066:2 April
1012:2 April
724:ITworld
509:PCWorld
288:Malware
244:hacking
199:malware
191:Bitcoin
146:Apple's
57:Waledac
43:History
27:, is a
1314:Malbot
1258:Torpig
1243:Srizbi
1233:Sality
1208:Mega-D
1198:Lethic
1193:Kraken
1163:Donbot
1133:Asprox
697:IT PRO
360:19 May
268:Botnet
155:iCloud
135:Dridex
116:zombie
29:botnet
1263:Virut
1253:TDL-4
1248:Storm
1223:Nitol
1213:Mirai
1168:Festi
1138:Bagle
1128:Akbot
224:Spain
53:Storm
1283:Zeus
1173:Grum
1068:2019
1040:2018
1014:2019
964:2012
938:2012
912:2012
884:2018
848:2012
822:2012
794:2012
763:2012
732:2012
704:2012
678:2012
650:2012
619:link
605:2012
576:2012
548:2012
517:2012
486:2012
450:2012
442:CNet
419:2012
388:2012
362:2020
327:2012
319:CNET
250:and
195:mine
185:and
63:and
25:Hlux
19:The
1123:3ve
55:or
1361::
1057:.
1030:.
1002:.
991:^
981:.
955:.
929:.
901:.
875:.
839:.
811:.
783:.
771:^
749:.
721:.
695:.
667:.
639:.
627:^
615:}}
611:{{
593:.
565:.
537:.
525:^
506:.
494:^
470:.
458:^
439:.
427:^
405:.
379:.
351:.
335:^
316:.
302:^
246:,
242:,
39:.
1101:e
1094:t
1087:v
1070:.
1042:.
1016:.
985:.
966:.
940:.
914:.
886:.
850:.
824:.
796:.
765:.
734:.
706:.
680:.
652:.
621:)
607:.
578:.
550:.
519:.
488:.
452:.
421:.
390:.
364:.
329:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.