Kelihos checks machines' IP addresses against DNS blacklists

Posted by   Virus Bulletin on   Aug 29, 2013

Role of node in a botnet dependent on whether the IP address is blacklisted.

Whenever I look at the results of the VBSpam tests, it always amazes me how large a percentage of spam is blocked because the sending IP address appears on a DNS blacklist.

It is not that I wouldn't expect those that maintain such blacklists not to do a good job: I know that they work hard to keep the lists up to date to block as much spam as possible. But I regularly wonder whether spammers care that most of the emails they send will be blocked by just about any blacklist in existence.

Some spammers apparently do care. In a post for the ZScaler blog, Chris Mannon analyses a recent Kelihos sample that I thought was interesting in this context.

Upon installation on a new machine, the malware queries the machine's public IP address against a number of widely used DNS blacklists. The role the node will play in the botnet then depends on whether or not the IP address is blacklisted: only if it isn't, will the machine be used to send spam.

The blacklisting of IP addresses isn't the only reason why botnet spam - especially when sent from compromised home PCs - is relatively easy to block. Sending spam only from addresses that don't appear on blacklists won't give the spammers a shortcut to users' inboxes - if only because it won't take long before these addresses end up being blacklisted too.

But it does show that cybercriminals haven't given up on spam - and are still actively trying to find ways to get their emails delivered. As can already be seen from some interesting posts on the Malware Must Die blog, despite a number of prominent 'shutdowns', Kelihos is still very much alive and kicking.

Posted on 29 August 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Necurs pump-and-dump spam campaign pushes obscure cryptocurrency

A Necurs pump-and-dump spam campaign pushing the lesser known Swisscoin botnet is mostly background noise for the Internet.

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.

The threat and security product landscape in 2017

At the start of the new year, Virus Bulletin looks back at the threats seen in the 2017 and at the security products that are available to help mitigate them.

Spamhaus report shows many botnet controllers look a lot like legitimate servers

Spamhaus's annual report on botnet activity shows that botherders tend to use popular, legitimate hosting providers, domain registrars and top-level domains when setting up command-and-control servers.

Tips on researching tech support scams

As tech support scammers continue to target the computer illiterate through cold calling, VB's Martijn Grooten uses his own experience to share some advice on how to investigate such scams.