Re: Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status

[アドリアンヘンドリック <unixfreaxjp22 () gmail com>]

Following the previously posted about the Kelihos botnet current status,

> The current status of Kelihos infection will be presented in Short Talk
at BotConf
> 2013, in Nantes, France, Dec 2013.

We did our part as per promised, and disclosed the every operation aspect
in details against this botnet including the criminal responsible behind
all acts (a Russia Federation nationality individual).
All of the verdict and data were reported officially to the Group IB in
Russia Federation for the legal case follow, we look forward to have the
finalization in 2014. And Interpol, EuroPol ECC and FBI will receive the
latest updates accordingly.

This botnet is hitting countries hard, and it's affiliation with other
malwares also growing, they are still ACTIVELY infecting via spambot
function and web driven injection (iframers CookieBomb + etc exploit
tools), please put more attention on the current status of the threat. For
the POC of the activity on infection peers feel free to access IRC
monitoring system as per shared in previous post.

Below is the report on the disclosure:
http://malwaremustdie.blogspot.jp/2013/12/short-talk-in-botconf-2013-kelihos.html

OP-Kelihos Team

Rick of MalwareMustDie / @unixfreaxjp
PGP/MIT.EDU <http://mit.edu/>: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

On Wednesday, November 13, 2013, アドリアンヘンドリック wrote:

> Securelist.com (Kaspersky) released a wrong and mis-leading information
> about current status of Kelihos Botnet:
>
> http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_happened
>
> *1) Securelist.com wrote: At the moment we're counting about 1000 unique
> bots on average per month*
>
> Below is the CnC volume infected peer botnet of Kelihos in Actual
> Monitoring counter, up to today.
> Even per Country's infection data stated below is exceeding 1,000...
>
> 1231  PL
> 1710  RO
> 2398  BY
> 4051  KZ
> 4615  TW
> 6037  IN
> 9823  JP
> 18158 RU
> 52825 UA
>
> Our online monitoring shows the real fact about the volume...
>
> *2) Because of what "they" claimed they did.. the Kelihos is smaller
> now….hmm..(?)*
>
> As per you know, the above 1) growth is still happening, even NOW we keep
> on suspending, sinkholing new domains their used for spreading payload
> (which it is encrypted in their job servers to CnC layer to be sent to peer
> for infection upgrade) in time-to-time basis, with total now is exceeded
> 800+ domains from August 6th to Yesterday.
> The effort of current suppressing is NOT related of the previous shutdown
> which was actually successfully recovering of the botnet itself. It is
>  kudos hard work of many IT security people who cares and work together in
> one coordination all over the globe for this threat.
> Nevertheless, even many people help and effort was achieved, Kelihos
> BotNet also perform a quick recovering by just released NEW ALIVE domains
> already in RegTime.NET (Russia FederationRegistrar) below, be free to
> confirm the registration date of this new domains as PoC.
>
> EJEXPOC,COM
> ABGYCWU,NET
> CESGUMU,ORG
> QYQANYB,BIZ
> GOTOREF,BIZ
> TOREMOA,COM
>
> *3) Securelist.com said "Most of the infected clients are located in
> Poland"*
>
> We al know that Ukraine, Russia Federation, Japan, India, Taiwan are the
> top of infected countries from the day one they recover…
> It is strongly suggest that the post in securelist.com is not confirming
> the actual situation…
>
> *4) **Securelist.com** wrote: "Victims have been disinfecting or
> reinstalling their PCs over time"*
>
> This is also a PoC that securelist.com as security maker's research
> entity does not update their actual data and used the outdated and announce
> it as recent…the "marketing" value is sensed under the blanket.
> New infection are actually popping up with the ALIVE payload.. opposing to
> the PC that was cured/fixed, each peers has more than 10+ payloads to
> spread with smaller  number of payloads exists in the loader part.. well
> apparently secure list.com doesn't know this too.
>
> *Additional:*
>
> *For your information.*
>
> Our group, MalwareMustDie, NPO is obligated to conduct the contra-posting
> "the statement" posted with this real fact about what is really happen in
> Kelihos botnet since "the statement" is mis-leading the entities that are
> currently making hard effort in cleaning up the infection peer by peer all
> over the planet.
>
> The current status of Kelihos infection will be presented in Short Talk at
> BotConf 2013, in Nantes, France, Dec 2013.
>
>  We are in purpose NOT posting / exposing any activities of this operation
> beforehand in any web format since the intelligence and hard work of law
> enforcement process in Europe and Russia Federation for its on going
> process to stop this threat for good.
>
> If security entity starting to state the wrong and misleading information,
> which is based not to the current and actual fact, then it is time for all
> of us to  correct every mistakes made with the true counter statement like
> this.
>
> On behalf of the good engineers that gather in OP-Kelihos to suppress the
> botnet in daily basis, bind to the promise to keep silent about the OP, we
> are informing this mistake by this full disclosure announcement.
>
> These are the Video contains information of infection in monitoring that
> can reveal the evidence of infection volume, and you can see on how hard
> huge the infection is actually happen now as per listed in the youtube
> video link below:
> Kelihos Regional Infection (per country's) Online Monitor via Web<http://www.youtube.com/watch?v=-LNJsbYK6K8>
>
> How to View & Download the Archive of Kelihos Infection Monitoring Channel<http://www.youtube.com/watch?v=9uNcT9DwsYw>
>
> Kelihos Volume Monitoring Applet - Country base monitoring panel<http://www.youtube.com/watch?v=4r2FKMiXhwk>
>
>
> OP-Kelihos Team
>
> Rick of MalwareMustDie / @unixfreaxjp
> PGP/MIT.EDU: RSA 2048/0xEC61AB9
> Query: 0xb9ad3d5bec61ab91
>
> MalwareMustDie,NPO Research Group
> Web http://malwaremustdie.org
> Research blog: http://malwaremustdie.blogspot.com
> Wiki & Code: http://code.google.com/p/malwaremustdie/
> Report Pastes: http://pastebin.com/u/MalwareMustDie


-- 
Hendrik Adrian / @unixfreaxjp
PGP/MIT: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91


MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/