[unixfreaxjp]

OP #Kelihos by #MalwareMustDie team.

Report is attached, for registered members only.
Read the comment before. Many mis-spell pls bear.
Please support us suppressing Kelihos and please help to cleanup IP infection in your network & country.

[unixfreaxjp]

Our Russian friend, beware.
.RU started to be used again by Kelihos scums, just now.
From yesterday's registration via Reggi.RU
PoC is for KM members only, we won't let bad guys see!


The used domains so far are:

DAFLYCYM.RU
NETEKWEC.RU
BESYQSOP.RU

There are many more, please be aware..
Below is the GREP formula for Kelihos domains in RU and SU via Reggi.SU:
[a-z]{8}\.[a-z]{2}
#MalwareMustDie!

[unixfreaxjp]

Kelihos scum moved registrar again into Germany Registrar: 1API GmbH
And registering payload domains like .INFO, .EU, .NL etc from it.
PoC is below in attachment part for the KM members only, if you have contact to 1API GmbH please-
kindly inform them to stop the registration of the randomized domain with the below regex:

[GAGA]

Security Observer's Repot

Overview
Code :SECO2013-8-1701
Title :Fake Intel
Author :Martin
Date submitted :2013-8-17
MD5 :9B68B45AFA269BA1B0C01749FA4B**2F

Detail
Disclosure of status
2013-8-17 Security Observer issued a warning to the vendor

Detection status
2013-8-17 AVAST!:Not detected
2013-8-17 Kaspersky:Not detected
If you want to get this sample,you can send an e-mail to join us
Link：http://www.atvirus.net/?p=1723
E-mail:partner@atvirus.net

Respond
None

But,I have the sample,so i post it to our community~~ :lol:
Download:

9B68B45AFA269BA1B0C01749FA4B942F.zip

(913.91 KiB) Downloaded 83 times

Password:infected
https://www.virustotal.com/en/file/b71a ... 376743809/

[EP_X0FF]

It is Kelihos with winpcap. Moved.

https://www.virustotal.com/en/file/6d5c ... 376793669/

[unixfreaxjp]

@EP_X0FF
Cc: @Xylit0l

Kindly forgive me if this question is not a proper subject, be free to delete this post then.
I want to ask WHY Kelihos samples, the Kelihos BotNet (I called it Momma Kelihos) like below VT posted ones ALWAYS having the worse detection ratio? Upon detected is only between 2/4x to 5/4x in average 3/4x.
https://www.virustotal.com/en/file/4ea5 ... /analysis/
https://www.virustotal.com/en/file/c687 ... /analysis/
https://www.virustotal.com/en/file/dc26 ... /analysis/
https://www.virustotal.com/en/file/dc26 ... /analysis/
and so on..

Even we shared and sent the samples immediately to every AV & public.

Is it something in the binary that makes it so low score in detection?
Or is it because AV doesn't think they are important to detect and focus to the previous layer of trojan who downloaded them?
I am afraid Kelihos is having builder that can prevent AV detection in zero ratio upon released.

Best regards,

[EP_X0FF]

Because they always virus scan payloads on private multi-av checkers before using. Simple rule: EK payloads must be FUD by default for target audience and location. If you spread malware exclusively for country X where popular scanners A & B, you don't care if antivirus C from other country Y will detect it, you will push bot clean from A & B antivirus detections, leaving C as is (if it not bypassed automatically as in most cases because signatures are mostly common).

Binary rotates few times per day to avoid signature updates. If AV releases generic signature they update crypter, adopting to AV changes, and everything starts from the beginning. Why Fortinet has always good detection ratio (compared to others)? Because they dgaf for it, as it not available for EK target audience.

[unixfreaxjp]

So that's why AV is never in winning position at all against these binaries. Thank you. Your explanation rocks, and your heart is good for sharing, respect!
Hope many users will be more aware of this fact too.
This group is truly Evil, so please be careful for you and friends who live in same countries with these moronz.
Look forward to see them behind bars.

[unixfreaxjp]

Kelihos opened .NET domains too via BizCN.
PoC & last info is for KM members only.

[unixfreaxjp]

The latest full set of kelihos binary samples:
http://www.mediafire.com/?shhuvrtkxn5l9pn