The U.S. Justice Department said on Monday (April 10) that
it launched an effort to take down the giant Kelihos botnet, a global network
of tens of thousands of infected computers which it claimed was operated by a 36-year-old
Russian national, Peter Yuryevich Levashov who was arrested in Spain over the
weekend.
The department said that the network was responsible for sending
spam emails, distributing ransomware and malware, harvest usernames and
passwords and engage in Bitcoin theft and spamming. The botnet at times grew
larger than 100,000 simultaneously infected devices to carry out various spam
attacks, including pump-and-dump stock schemes.
Many spam emails were advertising counterfeit drugs,
promoting penny stocks and work-at-home scams. Levashov harvested login
credentials from infected PCs too. This was done to break into the users’
online bank accounts or to sneak into the victim’s email accounts to send out
more spam. He had even helped other cybercriminals distribute malware in exchange
for payment, U.S. investigators claim.
It even used peer-to-peer communications to allow each
individual node to act as its own command-and-control server and its malicious
activity is thought to have affected five percent of all organisations across
the globe.
Working alongside the FBI and security company Crowdstrike,
the US Department of Justice has started blocking domains associated with the
Kelihos botnet, one of the most prolific networks of hacker-controlled computer
systems in the world. The Kelihos botnet infected computers running Microsoft
Corp's Windows operating system since approximately 2010. Once enslaved,
Levashov turned the PC into a mail server without the victim’s knowledge, the
U.S. government claimed.
While investigating, the FBI noticed that one of the
botnet’s servers was constantly logging into an email account at mail.ru. That
account was registered to a “Pete Levashov,” and was also associated with an
Apple iCloud account under a similar name, according to an FBI filed court
document.
Levashov allegedly used the information gained from this
credential-harvesting operation to further his illegal spamming operation which
he advertised on various online criminal forums.
Like other botnets, Kelihos is designed to remain undetected
on the infected victim's computer, enabling it to secretly receive instructions
for malicious activities and send data back to its operators.
DOJ hasn’t revealed the charges against Levashov because the
case remains under seal, but offered reporters documents that showed U.S.
investigators obtained court orders to stop Levashov from controlling his
botnet.
Russian-state media service RT reported Levashov was taken
into custody in Spain over the weekend on a U.S. warrant. It was not known if
Levashov had an attorney.
In order to liberate victim computers, US authorities
obtained court orders from the US District of Alaska, granting them permission
to redirect traffic from Kelihos-infected computers onto a substitute server
run by the FBI, and record the IP addresses the machines attempt to connect to.
Three previous versions of Kelihos had been taken down, but each time it was
able to grow back with improvements that made it more resilient. In the most
recent iterations, individual infected computers could update each other with
new code, so that just taking down the few command servers was insufficient.
The FBI estimates the Kelihos botnet has between 25,000 and
100,000 computers currently under its control. About 5 to 10 percent reside in
the U.S.
Although the dismantling should be a major blow to Kelihos,
the Justice Department hasn't said if others might have been involved in the
botnet's activities.
Users can use free antivirus tools such as Microsoft Safety
Scanner to clear Kelihos-related malware from their PCs. Internet service
providers will also be told which IP addresses have been found supporting the
botnet's activities.
Levashov, who has long been considered the likely identity
of an online persona known as Peter Severa, spent years listed as among the
world's 10 most prolific computer spammers by Spamhaus, a spam-tracking group.
