Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kelihos Relying On CBL Blacklists To Evaluate New Bots

Posted by samzenpus on from the make-your-time dept.

Gunkerty Jeb writes "Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins. According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim's IP address has previously been flagged as a spam source or as a proxy."

13 of 23 comments (clear)

  1. Even bot-writers have to get modern eventually by gweihir · · Score: 5, Insightful

    Real-time block lists have been the standard for blocking spam for quite a while. There is nothing new here, just some bot-net developers finally catching up.

    I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Spam is good! by greg.allen.uk · · Score: 2

    Just send out loads of spam from your PC, or self-nominate your IP as a source of spam to get yourself immunity from the smart bots.

    1. Re:Spam is good! by Zocalo · · Score: 4, Informative

      Chances are that the CBL check is just to determine whether the compromised PC is likely to be useful for sending spam or not. If the check comes back with a positive listing, then the PC will simply be used for other things such as launching DDoS attacks, hosting support services and so on. If you want to try and make a PC useless to smart bots, or as near as it can be, in the event of a compromise then robust egress filtering of outbound connections is a far better way to go. As a bonus the logs from your egress filters should also make it much easier to detect when hosts have been compromised so that you can deal with them promptly.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re: Spam is good! by DigiShaman · · Score: 1

      In other words: Admins should be restricting all outbound SMTP traffic (port 25) to everything inside the network except the e-mail server itself.

      Need the ability to POP email out?Use an SSL connection. Done!

      --
      Life is not for the lazy.
  3. Kelihos, the peer-to-peer botnet by dgharmon · · Score: 3

    Shouldn't that be Kelihos, the peer-to-peer Windows botnet ..

    --
    AccountKiller
  4. So what? by horm · · Score: 1

    They're using these blacklist services for exactly what they're intended for: to determine if certain hosts are known to be sources of spam. It's not like they're leaking information they didn't intend to distribute.

    1. Re:So what? by Anonymous Coward · · Score: 1

      I agree, all this will do is add more IPs to the spam databases, and in my opinion, that's probably a good thing. The only downfall I can see with this is making the virus sleep or attempt to obtain new IP addresses until its not blacklisted, but I don't see that being a problem in practice either, because residential users shouldn't be sending mail anyways, and businesses should be monitoring their mail servers and firewalls.

  5. Re:What is Google ? Something different ? by dreamchaser · · Score: 1, Insightful

    Stealing Bitcoins and pushing spam. Bah, what is Google about ? Stealing data and pushing their spam on first position.

    Google doesn't 'steal' anything. They make it perfectly clear what their privacy policy is. They also don't push spam. They're an advertising company. They give people free services. Those people who choose to use those services are agreeing to their terms.

  6. Blocklists @ BOTH IP & host-domain levels by Anonymous Coward · · Score: 1, Informative

    For firewall blocklists AND hosts files users block lists also:

    http://malwaremustdie.blogspot.com/2013/08/the-quick-report-on-48hours-in-battle.html

    * Enjoy!

    APK

    P.S.=> It's a COMPLETE RUNDOWN of what the Kelihos botnet utilizes (and thus, what to blockout @ BOTH the firewall &/or custom hosts file levels for "layered-security"/"defense-in-depth")...

    ... apk

  7. Re:What is Google ? Something different ? by kqs · · Score: 2

    If I send a letter through the Postal Service to my friend Alex, then Alex can show the letter to other people, or even have a service open the letter to sort it and to throw away circulars and junk mail. OH NOES ALEX IS INFRINGING MY RIGHTS. And according to you, so are anti-spam systems.

    Also, do you have any proof that Google sells information about anyone, or are you just confused and ranting?

  8. Re:What is Google ? Something different ? by Overzeetop · · Score: 3, Insightful

    Trust requires two people. If you don't trust the party on the other end, you shouldn't be sending them email. It's not the only way to communicate.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  9. Re:What is Google ? Something different ? by bmo · · Score: 1

    Then blacklist gmail from your outgoing mail.

    Wow, that was difficult.

    But where does it end? Do you read the privacy policies of all your recipients' hosts? How many hours are in your day? Do you include that useless-as-tits-on-a-bull "this is proprietary information blah blah blah" legal "disclaimer" on the bottom of your email?

    Where does your insanity end?

    --
    BMO

  10. composite blocking lists by Livius · · Score: 1

    I wondered what kind of black listing the Canadian Baseball League was up to.