Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kelihos Relying On CBL Blacklists To Evaluate New Bots

Posted by samzenpus on from the make-your-time dept.

Gunkerty Jeb writes "Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins. According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim's IP address has previously been flagged as a spam source or as a proxy."

23 comments

  1. Even bot-writers have to get modern eventually by gweihir · · Score: 5, Insightful

    Real-time block lists have been the standard for blocking spam for quite a while. There is nothing new here, just some bot-net developers finally catching up.

    I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Spam is good! by greg.allen.uk · · Score: 2

    Just send out loads of spam from your PC, or self-nominate your IP as a source of spam to get yourself immunity from the smart bots.

    1. Re:Spam is good! by Zocalo · · Score: 4, Informative

      Chances are that the CBL check is just to determine whether the compromised PC is likely to be useful for sending spam or not. If the check comes back with a positive listing, then the PC will simply be used for other things such as launching DDoS attacks, hosting support services and so on. If you want to try and make a PC useless to smart bots, or as near as it can be, in the event of a compromise then robust egress filtering of outbound connections is a far better way to go. As a bonus the logs from your egress filters should also make it much easier to detect when hosts have been compromised so that you can deal with them promptly.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re: Spam is good! by DigiShaman · · Score: 1

      In other words: Admins should be restricting all outbound SMTP traffic (port 25) to everything inside the network except the e-mail server itself.

      Need the ability to POP email out?Use an SSL connection. Done!

      --
      Life is not for the lazy.
  3. What is Google ? Something different ? by wakely · · Score: -1, Troll

    Stealing Bitcoins and pushing spam. Bah, what is Google about ? Stealing data and pushing their spam on first position.

    1. Re:What is Google ? Something different ? by dreamchaser · · Score: 1, Insightful

      Stealing Bitcoins and pushing spam. Bah, what is Google about ? Stealing data and pushing their spam on first position.

      Google doesn't 'steal' anything. They make it perfectly clear what their privacy policy is. They also don't push spam. They're an advertising company. They give people free services. Those people who choose to use those services are agreeing to their terms.

    2. Re:What is Google ? Something different ? by mythix · · Score: 0

      If I send an email to a gmail account, from a non gmail account, I did not agree to anything. Still they scan my message, and probably keep, use or sell the info they harvested.

    3. Re:What is Google ? Something different ? by kqs · · Score: 2

      If I send a letter through the Postal Service to my friend Alex, then Alex can show the letter to other people, or even have a service open the letter to sort it and to throw away circulars and junk mail. OH NOES ALEX IS INFRINGING MY RIGHTS. And according to you, so are anti-spam systems.

      Also, do you have any proof that Google sells information about anyone, or are you just confused and ranting?

    4. Re:What is Google ? Something different ? by Overzeetop · · Score: 3, Insightful

      Trust requires two people. If you don't trust the party on the other end, you shouldn't be sending them email. It's not the only way to communicate.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    5. Re:What is Google ? Something different ? by bmo · · Score: 1

      Then blacklist gmail from your outgoing mail.

      Wow, that was difficult.

      But where does it end? Do you read the privacy policies of all your recipients' hosts? How many hours are in your day? Do you include that useless-as-tits-on-a-bull "this is proprietary information blah blah blah" legal "disclaimer" on the bottom of your email?

      Where does your insanity end?

      --
      BMO

  4. Kelihos, the peer-to-peer botnet by dgharmon · · Score: 3

    Shouldn't that be Kelihos, the peer-to-peer Windows botnet ..

    --
    AccountKiller
  5. So what? by horm · · Score: 1

    They're using these blacklist services for exactly what they're intended for: to determine if certain hosts are known to be sources of spam. It's not like they're leaking information they didn't intend to distribute.

    1. Re:So what? by Anonymous Coward · · Score: 1

      I agree, all this will do is add more IPs to the spam databases, and in my opinion, that's probably a good thing. The only downfall I can see with this is making the virus sleep or attempt to obtain new IP addresses until its not blacklisted, but I don't see that being a problem in practice either, because residential users shouldn't be sending mail anyways, and businesses should be monitoring their mail servers and firewalls.

  6. re : Christina lauras by Anonymous Coward · · Score: -1

    I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.
    _______________________________
    __

  7. Blocklists @ BOTH IP & host-domain levels by Anonymous Coward · · Score: 1, Informative

    For firewall blocklists AND hosts files users block lists also:

    http://malwaremustdie.blogspot.com/2013/08/the-quick-report-on-48hours-in-battle.html

    * Enjoy!

    APK

    P.S.=> It's a COMPLETE RUNDOWN of what the Kelihos botnet utilizes (and thus, what to blockout @ BOTH the firewall &/or custom hosts file levels for "layered-security"/"defense-in-depth")...

    ... apk

  8. How's my post off-topic/Why downmod? by Anonymous Coward · · Score: -1

    Whoever downmodded my post = fool: It's meant for YOUR use in protecting yourselves & others!

    * To the downmodder - How STUPID could you be?

    (OR, are you the botnet master of Kelihos *trying* to "hide" information that can screw you up?)

    Take your pick, on that note...

    ---

    To admins here:

    Blocking me from replying afterwards as well, when I've only made 1 post today? Please - wtf is THAT about also??

    Clue/New NEWS/NewsFlash: I was *trying* to be helpful, for Pete's sake!

    ---

    In closing, all I can say, is this (& I'm not doing the saying of it):

    "Someone asked him 'why', & he said 'The people that are trying to make this world worse are not taking a day off: How can I?" - Dr. Robert Neville, I AM LEGEND.

    (Get THAT through you heads...)

    APK

    P.S.=> Lastly (as to my posts' content): It's also FAR from "off-topic" since that page lists Kelihos ENTIRE C&C structure, bogus DNS servers, & more!

    (To blockout for protection in BOTH firewalls rules tables &/or custom hosts files in "layered-security"/"defense-in-depth" fashion - especially since this thing puts in firewall rules of its own!)

    ... apk

    1. Re:How's my post off-topic/Why downmod? by Anonymous Coward · · Score: 0

      1. Go look up "persona non grata", which is what you've made yourself here, thanks to the flood of long-winded missives about hosts files and your crappy host files app that you've polluted countless ./ discussions with.

      2. Go die in a fire.

    2. Re:How's my post off-topic/Why downmod? by Anonymous Coward · · Score: 0

      If apk's program = crappy, then prove how it is here http://it.slashdot.org/comments.pl?sid=4146239&cid=44723019 where you're given a fair challenge to disprove his points on the value of custom hosts files then.

    3. Re:How's my post off-topic/Why downmod? by Anonymous Coward · · Score: 0

      /.ers post redundant advertiser owned crippled by default addons in Adblock, Ghostery, RequestPolicy, SpamAssasin etc. by comparison to hosts files that do more for less. So apk can post what he likes too if they can. You don't own this site troll, get over it. Use your time wisely helping others as apk has instead, or is that beyond your limited intellect, abilities\means? Obviously it is and all you can do is troll by anonymous coward posts and apply bad downmods rather than be constructive. Sucks to be you.

  9. composite blocking lists by Livius · · Score: 1

    I wondered what kind of black listing the Canadian Baseball League was up to.

  10. Funny how I ended up + 1 Informative then by Anonymous Coward · · Score: 0

    You're welcome to disprove what I state my program does here:

    ---

    APK Hosts File Engine 9.0++ 32/64-bit:

    http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

    ---

    * In the enumerated list of 17 points there where they extoll how custom hosts files gain users of them better added speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious hosts-domains serving mal-content + block spam/phish links), reliability (vs. downed DNS or vs. Kaminsky vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's)

    APK

    P.S.=> You failed in your downmod, & you'll FAIL @ disproving those facts as well (despite your attempt @ applying unjustifiable downmods to my posts)...apk

  11. Funniest part's I didn't note my app by Anonymous Coward · · Score: 0

    Even funnier was my being modded up in my 1st post in the end to "+1 Informative" -> http://it.slashdot.org/comments.pl?sid=4146239&cid=44715063 in the end.

    Despite the troll moron's UNJUSTIFIABLE downmod he applied using his registered 'luser' account, & then trolling by AC!

    (It's a KNOWN big weakness of /.'s foruns (along with being able to create 100's of 'sockpuppet' fake registered luser accounts for upmodding themselves & downmodding others they don't like - which the troll you replied to probably does also, "HBGary/Chinese Water Army" style))!

    So, in the end?

    You're right: Thus, Troll can NOW disprove what I do state my custom hosts file program yields, as I challenged that TRULY cowardly ac troll to do here -> http://it.slashdot.org/comments.pl?sid=4146239&cid=44723019

    (Which he WON'T be able to do - As 100's like him have tried, not a SINGLE ONE has been successful! Not even ONCE...)

    APK

    P.S.=> Yes, folks: It's NOT EASY being "world-class" like myself creating useful programs that've done well for decades++ in the freeware/shareware world (ontop of enterprise-class/mission crtical data systems & commercial wares on my end professionally also), & By STOMPING trolls, with facts/truth (hence his "geek angst" ridden reply he can't 'backup his b.s.' with vs. my simple challenge to him above), lol... apk

  12. 50++ /.'ers disagree with you troll by Anonymous Coward · · Score: 0

    http://it.slashdot.org/comments.pl?sid=4146239&cid=44715063

    http://it.slashdot.org/comments.pl?sid=4081759&cid=44546757

    http://tech.slashdot.org/comments.pl?sid=3989671&cid=44321359

    http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431

    http://tech.slashdot.org/comments.pl?sid=3985079&cid=44311011

    http://yro.slashdot.org/comments.pl?sid=3459251&cid=42894295

    http://yro.slashdot.org/comments.pl?sid=3488893&cid=42993337

    http://yro.slashdot.org/comments.pl?sid=3488893&cid=42993393

    http://yro.slashdot.org/comments.pl?sid=3647643&cid=43447983

    http://yro.slashdot.org/comments.pl?sid=3137925&cid=41429093

    http://yro.slashdot.org/comments.pl?sid=3397505&cid=42651965

    http://yro.slashdot.org/comments.pl?sid=2940173&cid=40455449

    http://mobile.slashdot.org/comments.pl?sid=2734503&cid=39408607

    http://it.slashdot.org/comments.pl?sid=2857487&cid=40034765

    http://mobile.slashdot.org/comments.pl?sid=2644205&cid=38860239

    http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216

    http://yro.slashdot.org/comments.pl?sid=2614186&cid=38658078

    http://yro.slashdot.org/comments.pl?sid=2611414&cid=38639460

    http://yro.slashdot.org/comments.pl?sid=2926641&cid=40383743

    http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458

    http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066

    http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596

    http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850

    http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584

    http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722

    http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700

    http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450