Same botnet, same guys, new code

Pierre-Marc Bureau ESET

  download slides (PDF)

There are many factors that make the Win32/Kelihos malware family stand out. First of all, it uses a custom peer-to-peer network protocol for command and control. Also, it shares many similarities with the Win32/Nuwar (the infamous Storm worm) and Win32/Waledac malware families. Furthermore, the operator of this botnet frequently updates its code. This gives us an opportunity to observe the many changes he applies to his creation over time.

The first variants of Win32/Kelihos were discovered at the end of 2009 and they were, at best, in alpha stage of development. These binaries even had full debugging messages embedded. Since then, we have seen dozens of new variants, each showing a small step to improve the malware and its communication mechanisms. Following the evolution of Win32/Kelihos teaches us how the malware author is modifying the malware itself and its communication protocol to improve performance, evade detection and limit possibilities of poisoning on the network.

In this presentation, we describe the evolution of the Win32/Kelihos malware with timelines of its development phases and operations. We elaborate on the network architecture used for the command and control servers and show how similar it is to previous peer-to-peer botnets. Our study leads us to believe it is the same person who developed all three families of malware. It would appear that he is still working hard at developing his skills to become even more of a nuisance.