Kelihos checks machines' IP addresses against DNS blacklists

Posted by   Virus Bulletin on   Aug 29, 2013

Role of node in a botnet dependent on whether the IP address is blacklisted.

Whenever I look at the results of the VBSpam tests, it always amazes me how large a percentage of spam is blocked because the sending IP address appears on a DNS blacklist.

It is not that I wouldn't expect those that maintain such blacklists not to do a good job: I know that they work hard to keep the lists up to date to block as much spam as possible. But I regularly wonder whether spammers care that most of the emails they send will be blocked by just about any blacklist in existence.

Some spammers apparently do care. In a post for the ZScaler blog, Chris Mannon analyses a recent Kelihos sample that I thought was interesting in this context.

Upon installation on a new machine, the malware queries the machine's public IP address against a number of widely used DNS blacklists. The role the node will play in the botnet then depends on whether or not the IP address is blacklisted: only if it isn't, will the machine be used to send spam.

The blacklisting of IP addresses isn't the only reason why botnet spam - especially when sent from compromised home PCs - is relatively easy to block. Sending spam only from addresses that don't appear on blacklists won't give the spammers a shortcut to users' inboxes - if only because it won't take long before these addresses end up being blacklisted too.

But it does show that cybercriminals haven't given up on spam - and are still actively trying to find ways to get their emails delivered. As can already be seen from some interesting posts on the Malware Must Die blog, despite a number of prominent 'shutdowns', Kelihos is still very much alive and kicking.

Posted on 29 August 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Analysis of malware responsible for sextortion spam that mines for Monero on the side

VB2019 Platinum partner Reason Cybersecurity presents a threat analysis report on the Save Yourself malware.

Guest blog: Threat intelligence – a unifying force of the future

In a guest blog post VB2019 Platinum partner Reason Cybersecurity looks to the future of threat intelligence.

Guest blog: Why we should be paying more attention to Linux threats

In a guest blog post VB2019 Silver partner Intezer outlines the importance of paying attention to Linux threats.

New Emotet spam campaign continues to bypass email security products

On Monday, the infamous Emotet malware resumed its spam campaign to spread the latest version of the malware. As before, the malware successfully bypasses many email security products.

Book review: Cyberdanger: Understanding and Guarding Against Cybercrime

Security researcher Paul Baccas reviews Eddy Willems' book 'Cyberdanger'.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.