# Farewell to Kelihos and ZOMBIE SPIDER

The Kelihos peer-to-peer botnet was one of the largest and longest-operating cybercrime infrastructures in existence. Its origins can be traced back to the Storm Worm, a botnet that emerged in 2007 and was one of the earliest criminal malware infrastructures to leverage peer-to-peer technology. After the demise of Storm, it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications. Waledac was taken over and neutralized by a group of researchers in September 20101. The first generation of Kelihos emerged in December that year, three months after its predecessor Waledac was dismantled.

Kelihos itself was subject to several2 takeover3 operations4, each of which lead to the botnet being rebuilt in a new, more robust manner. The fifth and last generation of the botnet had been around since summer 2013, with an estimated size of 40,000 infected machines. It was neutralized by the U.S. Department of Justice with technical assistance by CrowdStrike in April 20175.

The Kelihos malware featured a wide assortment of plugins for different criminal purposes but was primarily used to deliver spam emails. Its peer-to-peer network protocol was designed to be difficult to reverse engineer, containing several layers of encryption, including RSA, Blowfish and a custom obfuscation algorithm that the malware author referred to as “monkey” functions in the code. This design is a clear reaction to previous takedowns with the goal to raise the bar for future attacks, but it ultimately failed to protect the botnet against attacks.

The primary threat actor, who was tracked by CrowdStrike as ZOMBIE SPIDER, rose to prominence in the criminal underground under the moniker Peter Severa. The individual behind this handle is Peter Yuryevich LEVASHOV6 who was arrested in Spain when the final version of Kelihos was taken over in April 2017, and who recently pleaded guilty to operating the botnet for criminal purposes7.

The purpose of this blog is to summarize and share our findings about Kelihos and its operator. The first section summarizes the results of our technical analysis of the Kelihos malware. The second section discusses attribution and provides some context around the threat actor. The blog concludes with an outlook section and we provide a YARA rule for detection in the Appendix.

## Technical Analysis of Kelihos

Modern spam botnets have to be flexible in the way they run campaigns in order to be able to quickly adapt to new detection techniques. Kelihos, like many others, implemented a sophisticated spam engine that automatically constructs spam messages from templates and additional inputs to avoid any patterns that can be used in filters. Despite the flexibility provided by the template system, some spam campaigns exhibited recurring characteristics and several researchers believed that there existed multiple simultaneously operated versions of the botnet. This was never the case.

Spam jobs that were distributed by the botnet operator defined a message template. A bot would populate this template with randomly generated strings or information taken from additional dictionary files that contained, for example, subject lines or URLs. A captured spam template is shown below, with several variable fields highlighted in different colors.

Received: from %^C0%^P%^R3-6^%:qwertyuiopasdfghjklzxcvbnm^%^% ([%^C6%^I^%.%^I^%.%^I^%.%^I^%^%])        by %^A^% %^Fsendmailver^% with SMTP id %^Y%^C5%^R20-300^%^%^%037036;        %^D%^V5^%^% Message-ID: <%^O%^V6^%:%^R3-50^% %%^V0^%>From: "%^C4%^Fmynames^%^%" <%^Fnames^%@%^Fdomains^%> To: <%^0^%> Subject: %^Fpharma^% Date: %^D-%^R30-600^%^% MIME-Version: 1.0 Content-Type: text/plain;        format=flowed;        charset="%^Fcharset^%";        reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.%^C7%^Foutver.6^%^% X-MimeOLE: Produced By Microsoft MimeOLE V6.00.%^V7^%%^J%^Fpharma^% %^Fmirabella_links2^%^%

The following is an email constructed from this template.

Received: from iaw ([232.59.54.125])        by ppp-188-174-39-206.dynamic.mnet-online.de (8.13.1/8.13.1) with SMTP id 201104051045037036;        Tue, 5 Apr 2011 10:45:55 +0100 Message-ID: <002101cbf36d$426b6370$e83b367d@seclabiaw> From: "Christina" <bcchiang@parteck.net> To: <[redacted]> Subject: Wonderful revealing effect on your libido. Date: Tue, 5 Apr 2011 10:32:16 +0100 MIME-Version: 1.0 Content-Type: text/plain;        format=flowed;        charset="iso-8859-1";        reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Bring more enjoyment to your life, get a magicpil! http://drokkies[.]nl/dwg2c4v.html

For several years, pump-and-dump stock scams, dating ruses, credential phishing, money mule recruitment and rogue online pharmacy advertisements were the most common spam themes. In 2017, however, Kelihos was frequently used to spread other malware such as LuminosityLink, Zyklon HTTP, Neutrino, Nymaim, Gozi/ISFB, Panda Zeus, Kronos, and TrickBot. It was also observed spreading ransomware families including Shade, Cerber, and FileCrypt2.

### Malware Distribution

The Kelihos malware distribution model involved affiliates of a pay-per-install service operated by ZOMBIE SPIDER. Each affiliate was provided with a custom malware binary with a unique tag hard-coded into the executable. The criminal operators of Kelihos were able to track and credit affiliates for infections based on these tags when the malware communicated with their backend infrastructure.

Compared to other malware families, Kelihos executables are relatively large due to the use of several third-party libraries, including Crypto++ for handling encryption-related functions, the Boost library that provides a wide variety of convenience functions, and the WinPcap library that is used for capturing credentials used in plaintext network protocols.

Affiliates frequently distributed Kelihos executables through social engineering and exploit kits. In addition, the Kelihos peer-to-peer network provided a fast-flux DNS hosting service that was often used in combination with spam campaigns to serve its own binaries. As an example, the URL http://betaler[.]com/gl1_1.php was hosted by that fast-flux service network. In this case, the content served from this URL was some simple JavaScript-based redirect code shown below:

<!DOCTYPE HTML><html><head><script type="text/javascript">parent.location.href="http://combach[.]com/adobe/";</script></head><body></body></html>

The domain combach[.]com from the redirect target was hosted on the Kelihos fast-flux service network as well. Visiting users were presented with the fake Adobe Flash Player website shown in Figure 1 in an attempt to deceive them into clicking the installation link, which would, in turn, provide a Kelihos malware executable.

Figure 1. Fake Adobe Flash Player Installer Website

### Installation and Persistence

The malware establishes persistence by creating a registry name and value pair under the key Software\Microsoft\Windows\CurrentVersion\Run in the HKEY_LOCAL_MACHINE hive if the user has administrator privileges, or the HKEY_CURRENT_USER hive, otherwise. The registry name consists of a word from the prefix noun list shown below concatenated with a word from an action suffix list. Its value points to the Kelihos executable on disk. Kelihos modifies the file attributes on its own executable to hidden and read only. The following prefix nouns were used:

• Connection
• CrashReport
• Database
• Desktop
• Folder
• Icon
• Media
• Network
• Time
• Tray
• Video

The following is the list of suffix nouns used to construct the name string:

• Checker
• Informer
• Notifyer
• Saver
• Updater
• Verifyer

Upon initial infection, the malware generates a 16-byte unique bot identifier that is used during peer-to-peer communications. This value is created from 15 randomly generated bytes plus a single-byte checksum that is computed by adding the 15 random bytes together.

All Kelihos binaries start with a list of hard-coded peers to bootstrap the process of joining the peer-to-peer network. All analyzed samples had dozens of such hard-coded entries, each consisting of an IP address, a TCP port number (which in all cases is 80), the last time a peer has been contacted (which defaults to 0 in the bootstrap list), a bot ID, and the number of seconds a peer has been live, also defaulting to 0.

The peer list is stored in the Windows registry with the name determined by concatenating strings from three dictionaries. However, due to a bug in the code, this name will always be DBSavedUse when the malware is executed for the first time. The value stored at this name always starts with the magic byte pattern A2 49 4D F3 D9 1E 9F 88 01 that is used as a signature to identify serialized data and also present in each peer-to-peer protocol message. In addition to the peer list, Kelihos will create three more name/value pairs under this registry key that store (1) a master key value, (2) the last job ID value, and (3) the bot ID value encoded with Base64. Due to the bug mentioned earlier, these registry names will always be PersistentLocalizedName, PlatformCompressedValid, and LineLoadedQuick. In addition, if Kelihos is running in router mode (see below), the registry name RecordEnabledCheck will also be created.

Despite the bug in the code, identifying the registry key that stores the Kelihos configuration information is non-trivial. The precise location of the registry key is selected by computing a histogram of the character length and the uppercase and lowercase frequencies for each key and subkey in the HKEY_CURRENT_USERS hive. The results of the histogram are then sorted, and the first entry in the list is chosen to hold the configuration information. Consequently, different infected machines will likely store the data in different locations.

### Peer-to-Peer Protocol

Infected machines form a peer-to-peer network with a hierarchical architecture shown in Figure 2. There are three tiers, referred to as job servers, router nodes, and worker nodes. When a system is infected, the malware checks the network adapter settings to determine whether it has a publicly routable IP address. If that is the case, the bot will start in the router mode of operation and create network services on TCP port 80 for peer-to-peer communications and on UDP port 53 for participating in the fast-flux network. If the system has no public IP address, the malware will start in worker mode and receive tasks to generate spam emails.

Figure 2. Kelihos Botnet Architecture

There are two primary types of peer-to-peer messages: peer lists and jobs. All peer-to-peer communications occur over TCP port 80, with peer lists being exchanged over a custom binary protocol and jobs being distributed using the same protocol with the addition of HTTP encapsulation. This distinction comes from the fact that messages related to tasking are being processed by the HTTP-based backend servers, whereas all other messages are exchanged between nodes that are part of the dynamic, self-organizing, peer-to-peer network — there is no need to encapsulate these in HTTP sessions.

The custom network protocol used for all message types makes use of RSA to perform a key exchange among peers and subsequently encrypt data with this session key. The first packet of the key exchange is similar to the following:

00000000  d5 e2 57 60 6c 55 55 45  03 10 48 40 99 5b 9f ad ..WlUUE ..H@.[..
00000010  72 1e 36 2f 44 e1 00 0c  16 dd 9e 04 30 46 02 41 r.6/D... ....0F.A
00000020  00 d0 5f a9 4d e0 34 a9  21 c8 e4 30 43 47 aa 7a .._.M.4. !..0CG.z
00000030  00 6f ea 0d a4 8f d6 3f  b1 c9 6b c9 c4 93 54 5f .o.....? ..k...T_
00000040  d7 70 1a de 1c b1 5c 4d  ca cf 61 86 14 a4 31 63 .p....\M ..a...1c
00000050  75 60 9e 9b 69 b4 8e d7  19 26 1f 56 66 49 ab bd u..i... .&.VfI..
00000060  e3 02 01 11 79 e2 f6 4d  f4 56 c1 22 6c 23 90 3a ....y..M .V."l#.:
00000070  60 4f be 69 a3 78 f2 a0  bc c5 ff ca 99 c7 7c 18 O.i.x.. ......|.
00000080  1b 65 26 2b 0f dd 1b e6  3a f4 13 e0 64 bf 25 89 .e&+.... :...d.%.
00000090  86 ba e2 1f 5d d0 f1 06  e8 71 2e ea a5 b8 64 ef ....]... .q....d.
000000A0  ae bf 8d a7                                      ....

The first DWORD in the hexdump above specifies the protocol version. Its value has been generated by a bit-scrambling function with random entropy to obfuscate the actual version number, which was 5 in the last generation of the botnet. The second DWORD is the size of the message, which is obfuscated using another bit-scrambling function. The four bytes at offset 8 serve as a header for the payload data, which is composed of serialized blocks. This header has the following structure:

1. Number of blocks (0x03)
2. Size of the first block: 16-byte session key (0x10)
3. Size of the second block: peer’s RSA public key in BER format (0x48)
4. Size of the third block: RSA signature of the 16-byte session key (0x40)

The remote peer responds with a message similar to the following:

00000000  1a 28 72 06 f2 55 55 45  02 40 a1 01 40 b7 fd 8e .(r. .@..@...
00000010  e0 d1 88 4f ab cd 1d c3  fc e5 bf e2 5f 03 46 3f ...O.... ...._.F?
00000020  2f f3 43 92 67 15 ac ed  3c 68 49 88 27 55 5a b5 /.C.g... <hI.'UZ.
00000030  cf a4 92 c2 38 74 27 12  a8 1e e7 62 ef 63 49 9b ....8t'. ...b.cI.
00000040  e9 4f 85 3c 69 1f d2 b6  d8 e6 52 38 04 88 3a 93 .O.<i... ..R8..:.
00000050  41 b0 f8 b6 ef e0 a7 64  68 47 70 1a 2c 86 b7 93 A......d hGp.,...

### Possible Ties to the Russian Government?

There has been speculation that some criminal threat actors, including Severa, have had ties to the Russian government9 10. In criminal underground forums, members discussed Severa having connections to the Russian government, such as the Federal Security Service (FSB), possibly due to his frequent displays of patriotism for Russia. There is no clear evidence that these claims were legitimate, but Severa played into these rumors with a forum post on April Fools’ Day in 2013. In this post, Severa discussed an offer that he allegedly received from the FSB to lead a team in their Center for Information Security, in a new division called the OSBIB (Separate Special Battalion of Information Security). He claimed that he was ordered to hire the first 100 members of this team (out of the 500 required within the first year) and that he had been given significant latitude in the recruitment process. Severa described the intent of this new department as protecting Russia from electronic threats and providing a reactive response if required. The post instructed interested applicants to submit a resume and specifically requested details about illegal hacking activities and botnet development. Severa also remarked that if an applicant conducted criminal activity but was hired into the program, they would be given full amnesty.

The primary requirements for applicants was that they have Russian citizenship, be between 18 and 45 years of age, have a strong knowledge of computer security, work well in teams, and possess excellent problem-solving skills. Applicants with a higher education in a technical field as well as those with past military experience were preferred. Severa also stated that those who were successful in the interview process would be subject to a trial period and would receive official officer ranks thereafter. The post explains that the office would be based in Moscow and those employed would receive a full FSB benefits package, including family accommodation, and a salary starting from 150,000 Rubles per month. Severa concluded the post with a message of Russian solidarity, stating that it was time to pay back the motherland.

Although this post was written on April Fools’ Day (Severa had also written a post on the prior April Fools’ Day about working for Microsoft), there is a possibility that the timing was intentional for plausible deniability.

The most concrete evidence that Levashov may have had a relationship with the Russian government is from when he appeared in a Spanish court in September 2017 to fight extradition to the United States. During the trial, Levashov stated that he had worked as a military officer for Russian president Vladimir Putin’s United Russia party for the last ten years, gathering information on the opposition11. However, his claim was later denied by United Russia.

### The Author of the Kelihos Malware

While Levashov was the operator of the Kelihos botnet, he likely did not write the malware. At least one of the actors responsible for authoring the malware appears to be a Russian individual named Andrey SABELNIKOV. There are several strong links associated with Sabelnikov, including his Github page8 shown in Figure 4. The project, known as epee, contains a significant portion of the non-malicious parts of Kelihos, including a custom and complex serialization library, network functions, registry tools, hashing routines, and an SMTP client.

Figure 4. Screenshot of Sabelnikov’s Public GitHub Page

## Outlook

With the Kelihos spam botnet no longer in operation and Levashov behind bars, multiple criminal operators turned to different spam botnets to distribute their crimeware. Spam botnets such as CraP2P (often wrongly identified as Necurs, which is a for-sale rootkit that is used by multiple botnets) and Cutwail are viable replacement options. CraP2P has frequently been used to distribute other malware such as Locky and Dridex, but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos. Both these spam campaign types were previously distributed by the Kelihos spam botnet, indicating that respective ZOMBIE SPIDER customers may have switched services.

One spam alternative was offered by a criminal actor who is thought to have been one of ZOMBIE SPIDER’s main competitors, having had previous disagreements on who provides better services. This individual reminded users of his spam services in a forum thread about Severa’s arrest, posted just three days later.

## Appendix

Although the Kelihos botnet is now inactive and no longer under control by ZOMBIE SPIDER, there may be some infections left. In order to help identifying them and cleaning them up, we share the YARA rule below that looks for the three RSA keys mentioned above. Since Kelihos executables are packed with various packers, this rule is unable to detect variants on disk. Instead, it should be used for scanning the memory of running processes.

rule kelihos_e : kelihos commodity spambot {    meta:        copyright = "CrowdStrike, Inc"        description = "Kelihos.E embedded RSA keys"        version = "1.0"        last_modified = "2018-11-29"        malware_family = "Kelihos.E"        in_the_wild = true    strings:        $rsakey_extinfo = "MIIBCAKCAQEArhNkAqO5rfZkXRlmtrZQ4lB0HDPCF9pROK0upgPxKamx7W8mY7GBe3Qk6npYNxHNtV6DN1g+EoSQaMfhpxxlcvMCnvuivJdLN6oQg7UWfqx2CKNvCLObIKEXjlBWcKOxROXYjc7utCwLR8zKbHd0rg8CJ17iLDzbJlyJy2S/whiOOdCLZh1eQGLpXeLEtRE1ev/93Q2tPw3oE2n+eaIpHgSuyrBsbtG3WsEdVyrvEIjeEZV4TLVACose0NkL/bVRnLshx1k2bsDIEgtVFwUsd9waGAI5Gn1wUvC83uTXrJWm4nbaOpK/JvvEMwvsPvLeF7hU/VsjFpzAjqJ/t5LXEQIBEQ=="$rsakey_jobinfo = "MIIBCAKCAQEAn5+cs80qt/4pslfUwTspXxTxVzmk0f9Oxt8on/jyQiuIG/oAhvefsYaDX/xivlvft34T0PhF/8/oAuXCfH4KPJ+GYFLe1hFR7EVdPfVKPRcTd4RB7tUHXpPUQ/m0fa93wBkqdf2hBRTy70o8k04ppqwunYb0CKEbsljzbgxxVjBZet8Jv76cBQfbXio7nbPUTZVUsrAD/r1hhdWoKKvTxiuZ6Hva9vF39rd1gz419jI44tQUYPA/xl5YHl7CdspOZL/8aZjgnqGNf1caowO93RNEmsXJIEhBzhKlrvqaZxeaDMB+LW8brExUqztP44NWQVgjnIKRbMfZGMpgdi3rXQIBEQ=="        \$rsakey_routers = "MIIBCAKCAQEAqQ8pkPATx8TUt7IaMWXcUwGpkZKmyrHyZj4Asf0f/gXi/FjisO91yNEbuG0ilVNQg+Y4jaycxp/o+iEoEF9CmozwP5F8I9UclBnopTpcHoDdlnWzC99IAkuqpqIM4cromjr894Y58BiwZrbjxnn/XlJzdj472ANgtKpJPO8OxBDPJGWf5F3/T73NomD6yQUJgwqSucHUtb5XOh4PpAvpyCHwqJ/HpRs0ekdeteyL46zkUGjHTJ7DzAE4j7DrOvcGtkfEeyQ8Xv3W7DLnL+gh18e9mcWKpvyQqWOtF8isFLT8d4FCAFGvjNMSjsbrynmFO5ETmSBJPX9DnR+2PA5p1QIBEQ=="    condition:        all of them }

#### Footnotes

1. https://blogs.technet.microsoft.com/microsoft_blog/2010/02/24/cracking-down-on-botnets/
2. https://securelist.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-the-hluxkelihos-botnet-15/31058/
3. https://www.crowdstrike.com/blog/p2p-botnet-kelihosb-100000-nodes-sinkholed/
4. https://www.crowdstrike.com/blog/peer-peer-poisoning-attack-against-kelihosc-botnet/
5. https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
6. https://krebsonsecurity.com/tag/peter-severa/
8. https://github.com/sabelnikov/epee
9. https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html
10. https://www.forbes.com/sites/thomasbrewster/2017/03/20/alexsey-belan-yahoo-fbi-hacker-allegations/