Win32/Kelihos (+Waledac downloader) - Page 3

Re: Win32/Kelihos

#19029 by hx1997
Sun Apr 21, 2013 3:10 pm

Due to the tragedy in the US and malvertisement, Kelihos is rapidly spreading recently. And here are 275 Kelihos samples, downloaded today.

http://sdrv.ms/ZdeMoJ (SkyDrive)
Password "infected"

Username

hx1997

Posts

101

Joined

Sat Apr 07, 2012 12:16 am

Re: Win32/Kelihos

#19038 by unixfreaxjp
Mon Apr 22, 2013 4:51 am

yeah, our team (RJ) decoded that (docs) during the case. see the blog for overall info, we can nail all redkit channel by this but i doubt for kelihos botnets
.. we detected 250+K infected pc(botnet) involves in this infection.

for the malware scum who read this:
f*ck Redkit moronz, f*ck Kelihos scums!!
you ain't that smart, we show you what smart is. you GO DOWN!!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#19456 by unixfreaxjp
Wed May 29, 2013 2:24 am

The hard work by @SetAbomine, Up & Alive Kelihos Download Link in historical record:

@Set_Abominae
Khelios binary URL, Dates: 2013.05.21 - 2013.05.27
NOTE: Contains malicious URL which may harm your system.
Use with caution.

Code: Select all

    audpuu5b.zeqromoj.ru/rasta01.exe - 78.26.178.99 - 5dd05bffa9a3688cb5b68c87825df554f7848593177a552b682761338cf446e2
    byxjixfe.us/angrim2.exe - 181.51.232.235 - 63efe2bf16258f695ccf780c946756955f649eade3a685d893f657aff52a1ce0
    byxjixfe.us/angrim2.exe - 93.78.107.64 - 3bb73d4f6fd64366ba48e1be0ea869bb0389d4d673e28692963835713cf2a01e
    byxjixfe.us/newmay4.exe - 77.122.164.173 - 20dabb4f409ce9f4938cca94b8d0e28c8cfafbf0483a2446d45931e04b058d8a
    byxjixfe.us/userid1.exe - 95.140.207.136 - 6185bbcaa4b59f456788a8351dc3ac20a714f439016a2aac43cbbe76f44454b1
    cefuknew.us/newmay4.exe - 119.171.113.125 - 703f8791916439dd270684dd7e137dc1bde998cae8bd1438ca83e56df34b18c3
    cefuknew.us/newmay4.exe - 62.84.251.128 - 7afe3fb1de9b70994028c1d9e45e62d8b5f3b417cac46c3e174a39ab5627a60f
    cefuknew.us/userid1.exe - 151.0.53.150 - 649d36fde6875d8c36985807e22cc1eefea1724e4b8c851e267e02f080d7a084
    cefuknew.us/userid1.exe - 188.173.98.147 - 0d51c6c24064d1344ffb8af23014cf36769dd148e305a062b9ca1b7a5b4cb815
    cytpaxiz.us/userid1.exe - 163.27.205.57 - dbfa05776f817c68bae0662ace25d22fe1fe4eadeed9b8ff82ab993a93b8164b
    cytpaxiz.us/userid1.exe - 74.213.97.7 - 23a899084c535bc8d727e960f285d34b169d554601fd5a6b03eb00ee10981240
    dagmuzad.us/angrim2.exe - 188.230.9.64 - ced78fc427a62cf8487786e0b7229c03c8ca90d544cd60968a98c4410c7aaf4b
    dagmuzad.us/angrim2.exe - 95.137.226.200 - 40f6942527e133a74bf891a661bd3deb62798bb3992762e5230a0a03cc6c2482
    dagmuzad.us/userid1.exe - 178.172.196.250 - cd782c0799cf25932faac842fff384c2399a878dc086cec7bc0e11ac871b8a27
    dagmuzad.us/userid1.exe - 46.226.164.67 - a82abcf713824ee199d2036deac1049d68bbb03b8d6112ce49f75768f01b20e2
    dagmuzad.us/userid1.exe - 59.171.116.82 - bd1dcfa3a9f69ed606f89f58ce64ec76463761a93202ece6d7386db178051f16
    elkihmes.us/newmay3.exe - 37.229.217.41 - 64d0b003a8ee092548e1be432f72b9ad209a2b67d3e3e5a49a296ec018077e59
    elkihmes.us/newmay3.exe - 46.185.46.191 - 7ba5576f07900c2039e426030242041bbb8b40bb38f9e30522bab2e30cb85cab
    faggefzy.us/newmay4.exe - 78.49.205.102 - 94378cdee9351330e1df71e000affdb7af02c035707371ceaed98f57e7ab1a31
    faggefzy.us/newmay4.exe - 83.143.203.11 - 6f3c2746957e0f80287e905fdf240f15439f56dee344bc197f5c77c4bfddc518
    filnilag.us/newmay4.exe - 50.136.163.28 - 475c323c4105646138ae6a332bbf411ec5621d618a215800150e3cafabb445a8
    giroqviq.us/newmay4.exe - 46.211.238.88 - 73dd9e303d1b442d3bd9445919b069642607a8ec0321b2d3f20e05bb4e79efe7
    giroqviq.us/newmay4.exe - 93.79.45.177 - 8b6b574a745b5ecc0a4d7cddf40036a91e8fa7e565fe70d4f642e3d11fea5ed9
    huhsewoj.us/angrim2.exe - 5.53.130.252 - f856240c8457f4349f6d343073586bfa5424a89b8c729d9a712755f59940048e
    huhsewoj.us/newmay3.exe - 78.139.154.68 - 25252f441cce8e57daa63eb5065ae5d94cf8963cd52637fc96b650aaf14fe6bb
    huhsewoj.us/userid1.exe - 114.176.101.26 - a82abcf713824ee199d2036deac1049d68bbb03b8d6112ce49f75768f01b20e2
    huhsewoj.us/userid1.exe - 89.76.174.248 - 0993109f1148d3ed1cc6cd43e59406111e6e6f4ab20cabb9a4453dd0613fe024
    imkiqrec.us/newmay4.exe - 93.79.65.64 - 7631ad8e251270e21fa5461cbae2fe5b3d1b53284849099438984bfbbfdd6cb0
    imkiqrec.us/newmay4.exe - 94.76.120.24 - a09b7e12bd37cab45e8a1456b77c97fbc977c26fa1323e13492601acf4cdd7b2
    imkiqrec.us/rasta01.exe - 46.119.85.20 - e001e4fff058910453ea6f8c833ba91febb9699adae4d5108eb01e892ce10a86
    konaxkex.us/angrim2.exe - 176.8.155.33 - 034b086780acb8010a8a9ef4c3841add852e34cb1fd654a8decf653fd2bb6041
    konaxkex.us/userid1.exe - 77.123.11.234 - 388f971fccc8e59105337f2fc9d243eb573d99fd707e5a75935ad1c26b02e7cf
    kubfamyt.us/userid1.exe - 46.119.114.9 - f33cdaa2f8d6143f2a6d7aa13c2d1ad6a50ec8837397e018b27d8e83d4923aeb
    kuqruciq.ru/userid1.exe - 109.86.232.193 - 0993109f1148d3ed1cc6cd43e59406111e6e6f4ab20cabb9a4453dd0613fe024
    kuqruciq.ru/userid1.exe - 83.170.192.154 - 6e35af4cec6e111b0c79e64de6e86637745768690b2fddd328dc9ad1edc1bd59
    meroizre.us/newmay3.exe - 178.214.170.179 - 0b1b7d9a36b13d1f5663925ccb20b21627a27d534a76d6e41d7e7a73803b97c4
    nycyldys.us/newmay4.exe - 153.188.143.187 - 3e9a5655fa49433c88ca38510113890d1f3f4ebde7661ce1a30e5929ff915e58
    ohziqtow.us/angrim2.exe - 46.35.237.206 - a02d34ecf41d9abefc579f353f7a40f50c1e96781680deb827044e1f6b3ea1a1
    ohziqtow.us/angrim2.exe - 93.77.228.250 - 08ce49ed60dc638ae24441db46161c8326a73a1b86a23f70c04e195e4f117b8c
    ohziqtow.us/rasta01.exe - 219.204.4.23 - eb29c284f3b9e8652f9cf7e9bfeb3d791ae895de8b773f7009801b72ef26688d
    ohziqtow.us/userid1.exe - 109.162.120.208 - c6496d9b84e8083955ea1e3fa78a59039fbce41840d1c31c89b12eb205d64b18
    ohziqtow.us/userid1.exe - 77.123.33.191 - d451ae389491a38479969edb8eafce787b8ab360cfa5f7a04ea7fe6f26074ef3
    pavpujot.us/newmay4.exe - 198.71.104.135 - 6f9ea8ce96c7ed89fe3b68feba475baae3c79decd372a10088cc8298b064e676
    pekrenis.us/newmay4.exe - 37.229.188.248 - a09b7e12bd37cab45e8a1456b77c97fbc977c26fa1323e13492601acf4cdd7b2
    poqmokyd.us/newmay4.exe - 89.67.6.109 - db581032b7db41d4707ef1f4cbffdf79666da1b08aa8112588996f1843e1f098
    pyrogtib.ru/newmay3.exe - 78.84.152.1 - 8940ffb0664f55d6c3ee578e8a98fe6afffdf283ac3385394c2df15ba75e165c
    qimyxona.us/newmay4.exe - 178.158.180.192 - 9d336d43bdaa2a6ddbeaa8fb20286d4a077e3c1ef22e85970e8a66dfed0cadbc
    qimyxona.us/userid1.exe - 31.42.68.237 - 3a521db936be8f967c4fb3d549389a6178f5fd16bd5b1900b4369c83e38b539f
    qimyxona.us/userid1.exe - 37.57.36.55 - fecfb91f445029ae75777d540970c0ecd3c43e2f3299e568354a02c4484c9ec8
    qimyxona.us/userid1.exe - 93.77.27.193 - cf71f27e78c2c8d746c7934634156f77b5c83e9ec42d97eef052c8c7574a7f7e
    qomrujiz.us/angrim2.exe - 31.192.7.215 - 4a2af76cbfe667c0145258f541984af0c6461057964c4725b7883970a2007c6a
    qomrujiz.us/angrim2.exe - 77.47.190.242 - b63ec1a8e347680733db160ce3af36aa60aca33f77cd72f029eb97a0704af97b
    qomrujiz.us/angrim2.exe - 93.79.11.57 - f43e85d7248813d72b20026fb63de3062fd5ade1509f63dcfa7e7709f50dea2d
    qomrujiz.us/instal2.exe - 114.25.68.11 - d3d370ff493f962568e3b157a33e24e15cbf34cacc3521e666227fd8d0f64b5f
    qomrujiz.us/instal2.exe - 37.229.90.216 - f39a7663a8c6a3a0a651973681c818af40590c6aabb9b62e385295db20c19364
    qomrujiz.us/instal2.exe - 77.122.22.101 - b81131839fdc30525bc887a3a549e3a4aadd05cf2ce32178cb8d94bf4d336c09
    qomrujiz.us/newmay2.exe - 186.14.118.253 - 88a37befc1525f367c21128b99d396cba5420ecf47d2176f558eb0ae90837d50
    qomrujiz.us/newmay2.exe - 93.79.39.37 - be1084beb7ede443b2fb2986a9e629911f6fc1905345437bda2213c3c5f3f460
    qomrujiz.us/newmay3.exe - 114.180.188.203 - 11cf6daa654f85018e47a786a69a95a7d0ffd5436baeca89a8f632be2a7eb749
    qomrujiz.us/newmay3.exe - 46.119.187.61 - 45a65ed1a66af0fb6e958b213461f7dec391c51e563f01fdb70220976231ea67
    qomrujiz.us/newmay4.exe - 101.55.175.248 - 896f29a8473fd86296a8c16973f4cdefdc1e4aae1427cbbd3c3652999f0fcd7f
    qomrujiz.us/newmay4.exe - 77.121.124.251 - 910c2ea8db5731a294f27d25d8e71f2ac95190fefdaca618046960f4b444ee65
    qomrujiz.us/newmay4.exe - 83.242.85.141 - b22403d15df1773215057a9910b6a68e01eec483cec459a2545f40a7f8c62b1a
    qomrujiz.us/rasta01.exe - 213.231.7.47 - 187652fad0f19b4141b1b6676a28f69f2fa231625675c4716bd5bde0b2eeb7ce
    qomrujiz.us/rasta01.exe - 217.174.50.9 - 1f6e40959c75b38f7993ebc5d6661b095fd7bd5a09b3cf5ceb7d20834c8634b1
    ryhxibac.us/angrim2.exe - 146.255.95.71 - 4a2af76cbfe667c0145258f541984af0c6461057964c4725b7883970a2007c6a
    ryhxibac.us/angrim2.exe - 213.231.19.191 - f43e85d7248813d72b20026fb63de3062fd5ade1509f63dcfa7e7709f50dea2d
    ryhxibac.us/angrim2.exe - 42.144.132.212 - 2f385dbfefd547a79c9383dda364acb4a029572ba6eb166eaaa24055e538f4ff
    ryhxibac.us/angrim2.exe - 78.96.114.49 - 5fcd0356fd18536a04d48d787a810de3c61ccafe1abccefe9ba63d5fbdf6d433
    ryhxibac.us/rasta01.exe - 178.74.224.45 - a52be10eb0b2cd83e680737b31c94d6803f641fd67c6a9383963ae031b7ed2e0
    ryhxibac.us/userid1.exe - 176.37.208.62 - 0993109f1148d3ed1cc6cd43e59406111e6e6f4ab20cabb9a4453dd0613fe024
    ryhxibac.us/userid1.exe - 213.231.13.31 - e667ee80816a1d0ad48cab86f8be24ad1a574b37cd2ec219c390043b2ff12afc
    serelfyh.us/angrim2.exe - 37.229.107.95 - a02d34ecf41d9abefc579f353f7a40f50c1e96781680deb827044e1f6b3ea1a1
    serelfyh.us/newmay3.exe - 75.85.34.5 - fe1e223aa81b3d476e452d4156edd9c871b2b7234856707e307cf19a1f61897d
    serelfyh.us/userid1.exe - 116.3.102.198 - 399b19df3c7d039dd8869d30d0609f63855dd071f97554c211b47cfed857a336
    serelfyh.us/userid1.exe - 58.89.231.67 - 7aa8d2f04ab5df0f4d9522fd59bc03c1f557cff92a8668cbc5e091e01be0f24b
    ulanfeis.ru/rasta01.exe - 211.124.44.148 - a52be10eb0b2cd83e680737b31c94d6803f641fd67c6a9383963ae031b7ed2e0
    ulanfeis.ru/rasta01.exe - 46.119.216.199 - 6df0c2cdceccc1023751039a92bce90c2bd9543c39c8df1512cd43da88dba7a1
    ulqattyv.us/newmay4.exe - 109.254.9.5 - 8b6b574a745b5ecc0a4d7cddf40036a91e8fa7e565fe70d4f642e3d11fea5ed9
    ulqattyv.us/newmay4.exe - 46.211.64.185 - ff8bb94d0bf7098bf75cf1a58665a685d88deb5c90a5bbd9bdaa1e965ce76ee7
    uwcarhim.ru/angrim2.exe - 213.16.112.74 - 002722b5b9d08d28b7d9ed30f1819847a8c317a6d6c1d4e3ec77bada716923e1
    vebhufuj.us/angrim2.exe - 116.64.255.97 - e401352892a2d365748a2748d4815ca7125b8727f7b87278001452168510c595
    vebhufuj.us/angrim2.exe - 89.187.248.198 - 7a030225896222fa338eb9856e240372036b2090bd326b79cf3e17d72bccd10e
    vebhufuj.us/newmay3.exe - 212.8.43.38 - 5038b4c700140b52e4a1cc01114221d83a63c7ec63c6407da05f5c14bb829367
    vebhufuj.us/rasta01.exe - 178.210.214.139 - c2369ad5b133c51a896abfbeffff1e90327d1c95f096d44e70ec0fa8668739f9
    vebhufuj.us/rasta01.exe - 77.122.196.95 - 697e9509a3f1b628596123466cdaa56b0a15daafcaae7ff47cceb7fd8cf3b368
    vebhufuj.us/userid1.exe - 110.135.123.9 - e77dd11ee80fd8fd9be1ae5e0b809b5e8be0726434c19a14569c276476d3dd4e
    vebhufuj.us/userid1.exe - 31.43.57.112 - 1317ec34e4367be1a132fbcc3af8b89ef321de4556dc0a9f90cda507868a14a3
    wofgafys.us/newmay4.exe - 202.189.157.125 - db581032b7db41d4707ef1f4cbffdf79666da1b08aa8112588996f1843e1f098
    wudozkew.us/newmay4.exe - 202.169.76.219 - 8b6b574a745b5ecc0a4d7cddf40036a91e8fa7e565fe70d4f642e3d11fea5ed9
    xehokgus.us/angrim2.exe - 78.62.108.48 - 45a03666268db5f715c33d2d221f8f0ce7c49649a9a046ac03363ebe23bbb5a1
    xehokgus.us/angrim2.exe - 85.204.11.245 - e3f8fb177a815758b8abc10bc96dab2257b6d5b687027d0c7316ce86fda04658
    xehokgus.us/userid1.exe - 5.248.248.175 - 79bf042a779f71523c2da66f28c0a8f833d13108de03a51309fb4f4eeb00de1b
    ykraxbug.ru/userid1.exe - 77.120.182.80 - 7bfa306a635b9c66d198a9dccf606c19d12184174aeef815a68721c98237fb1e
    ykraxbug.ru/userid1.exe - 93.115.123.14 - 26a79cd6b3f6506285f8d89e029b35d85642dbfa29acaaf49242d5d0fd17fa3d
    ynliqxyn.us/rasta01.exe - 109.200.252.110 - 0a9395846dd5c03f5f423f8707f2140b1352d9256e15b7162a48276aa3dbd11e
    ynliqxyn.us/rasta01.exe - 176.8.151.41 - be2686fa96e992be826a93a7a88d809b2b872df7c0f3478cb5a13170e7deb01f
    zelanriw.ru/angrim2.exe - 37.57.242.48 - 002722b5b9d08d28b7d9ed30f1819847a8c317a6d6c1d4e3ec77bada716923e1
    zelanriw.ru/userid1.exe - 77.122.198.58 - b6a2a2370b3ecc18e1d38a935db6dec59cedfd292b24b6f498733aee7b551ac9
    zeqromoj.ru/newmay5.exe - 178.150.16.128 - 69bf02745b5759e83c8e217bda6efa28f4288da6e0954e175dbd77c939172d87
    zilqonyr.us/newmay2.exe - 116.64.255.97 - 8fbf36ad5e99f66bf33272147dda10e14d485f1d81a92641d610a0e91a183f54
    zilqonyr.us/newmay2.exe - 176.100.6.152 - abef39d08526c5eb934d6f0d81fc021bfdd9e47c3222b136cf98b0a2446dfd61
    zilqonyr.us/newmay2.exe - 188.230.20.84 - d5c0cedec63f7d75ea44ddf64e7a5cc611eccf0d9bf9389206d2d0060bbe584a
    zilqonyr.us/newmay3.exe - 181.165.76.32 - bd8b6587324725bc1bb5709858de75f6cfb45b40a7d03e48e92a804a75540f36
    zilqonyr.us/rasta01.exe - 123.195.112.16 - 5e2e079af9f30b161bea08c14b5da5bcc8e2ff1529308485aba22c337d7263bb
    zilqonyr.us/userid1.exe - 77.122.164.9 - 7bfa306a635b9c66d198a9dccf606c19d12184174aeef815a68721c98237fb1e
    zozvupeb.ru/rasta01.exe - 31.192.0.123 - df33e49530fb2daaaf7896ced2b71818f621a80fd94550fdab3a3d0d39e6b00b
    zozvupeb.ru/rasta01.exe - 46.250.22.4 - ee7727a52a05aa8f4ce8b13b223c3a54863659342d8525f68da21e3ecca169f9
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - 2900b8a20781341ecd0b3a23fa54e514f6c99ddb74f36d28045f3f557a6da7f8
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - 51408d78b93dd4540cd2369896eb9049c5594d7b7df75919d9a6b80b44c8cf4a
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - 5842071cbb86e535960dfd92dba3f93ed0f3b710b38a247a7fd62b4062dd9d82
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - 6a1412e9840ba0bc1faae507501145c29141913869072cd8fde66c0b1816f196
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - 9bc74ac773ab40c528b0184d2ad4de39d09cd4cbec917b6f9e970c5b965e6bac
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - b8b98900342d789098fa9d41bc617f5e37bcb802f52b9932295ab70d4fa0ed1e
    188.190.98.73/loader/angrim2.exe - 188.190.98.73 - cb4f6c1a80a81dbaf7dc1c50b9357b7317e59136a6221d16136a7fda75314da9

#MalwareMUSTDie Team

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20124 by unixfreaxjp
Tue Jul 16, 2013 9:36 am

New campaign of RedKit has just softly started dropping these Kelihos:

VT detection is too low, VT: 1/46: https://www.virustotal.com/en/file/6dc9 ... /analysis/
please register this sample to as many AV as possible. I attached in tgz (stuck in a shell now..)

Attachments

sample.tgz

(829.17 KiB) Downloaded 63 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20125 by unixfreaxjp
Tue Jul 16, 2013 10:20 am

Another one...

Detection ratio is zero:
Sample : userid2.exe
MD5 : 3e8202d531961cdcb124b54d4bd3d9de
SHA256 : a3d67120fa81af2ce4415b8090a946ea435e06bed9a3fca58958f04e47ee2e8e
URL : https://www.virustotal.com/en/file/a3d6 ... /analysis/
Please grab this sample for raising detection ratio, I can attached in tgz only, I am sorry.

Additional, I made a list of the Kelihos payload detected from RedKit, posted in URLquery.
This isthe link.

Attachments

userid2.tgz

(829.29 KiB) Downloaded 65 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20152 by unixfreaxjp
Thu Jul 18, 2013 8:19 am

below analysis can be used for decrypting reference of the previously two posts :
http://blog.fortinet.com/Dissect-Latest ... unication/

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20237 by Win32:Virut
Sat Jul 27, 2013 3:51 pm

39 files.

File is too big.

_hxxp://filesmelt.com/dl/Kelihos.7z

Password: sclab

Username

Win32:Virut

Posts

324

Joined

Sat Jun 02, 2012 2:22 pm

Re: Win32/Kelihos

#20419 by unixfreaxjp
Thu Aug 08, 2013 9:51 am

We spotted 1,287 IP address of Kelihos botnet's payload download today.
Is a result of 48 hours fighting to suppress these scums out of our beloved internet,
report is here: http://malwaremustdie.blogspot.jp/2013/ ... attle.html
(not a promotion, a share)

The IP list is here: http://pastebin.com/raw.php?i=9TxFUiX9 (with the ISP, AS and Country information)

You can add the /rasta01.exe after the IP to get the latest Kelihos sample payload for your research purpose, as per below sample:

The statistic of these infection is as per below (credit toour member: Chris J Wilson)

Please don't forget to report to your regional authority/ISP/CERT for the clean up purpose, help to protect your own country/network pls. < That's all we ask in return of these sharing..

#MalwareMustDie!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20439 by unixfreaxjp
Fri Aug 09, 2013 4:55 pm

Dear friends in kernelmode. There are many updates in Kelihos today.
1) the latest Kelihos botnet 1,290 and 1,905 unique IPs milked today are:
http://pastebin.com/raw.php?i=n06iQpUc and http://pastebin.com/raw.php?i=2vQcPA1K (2 seperate process & NS domains)
new IPs was added, can not make it time to build good graph yet.
I breakdowns the IP into reverse ip, ASN, Network segment, ISP-Code, Country, ISP name, Company responsible name,
for making the clean up go easier, so you can just grep the ISP name or your country or your network segment to see
is there any infection near you.
2) Kelihos scums was changing registrar from INTERNET.BS to PDR LTD. D/B/A http://PUBLICDOMAINREGISTRY.COM now with/RegDB: DOMALAND < please monitor new domains .COM from this guys
3) new .COM domains detected used by Kelihos:

Code: Select all

OFCIWOX.COM
HAYZNEP.COM
IKFUBLA.COM
JOEJKAB.COM
MULOCXU.COM
NEMICKI.COM
SOTLEQU.COM
ENPOMAF.COM
OFCIWOX.COM
MOHOGOM.COM
SELURAW.COM
BOBPAWA,COM 
ZAWUZAG,COM

4) New reference:

Code: Select all

http://pastebin.com/raw.php?i=PChf7G8N
http://pastebin.com/raw.php?i=TVWpjiej

5) Prologue:

If you think we do something right, spread the news for we need many support to shutdown these scums.
Inform us if you spot new Kelihos domains, in .RU,.SU,.COM or anything, we sack them down.
Please help the effort to clean up the botnet, don't let them becoming a zombie P2P botnet used by these scums, every effort to shut their system means a lot!

Have faith!

#MalwareMustDie!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Win32/Kelihos

#20442 by unixfreaxjp
Sat Aug 10, 2013 4:48 am

Latest additional Kelihos Infected PC's data/IP address is here: http://pastebin.com/raw.php?i=LgndKyXk
Are all alive/online.
Connected to internet via dial up, no static ones..
Ia a good subject for the clean up, please spread this data to your CERT or known network.
The data is sorted, unique, and showing reversed IP for dialups PoC, you can grep/search by country, ISP or ASN.

#MalwareMustDie!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm