Full Disclosure mailing list archives
Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status
From: アドリアンヘンドリック <unixfreaxjp22 () gmail com>
Date: Wed, 13 Nov 2013 15:50:57 +0900
Securelist.com (Kaspersky) released a wrong and mis-leading information about current status of Kelihos Botnet: http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_happened *1) Securelist.com wrote: At the moment we're counting about 1000 unique bots on average per month* Below is the CnC volume infected peer botnet of Kelihos in Actual Monitoring counter, up to today. Even per Country's infection data stated below is exceeding 1,000... 1231 PL 1710 RO 2398 BY 4051 KZ 4615 TW 6037 IN 9823 JP 18158 RU 52825 UA Our online monitoring shows the real fact about the volume... *2) Because of what "they" claimed they did.. the Kelihos is smaller now….hmm..(?)* As per you know, the above 1) growth is still happening, even NOW we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday. The effort of current suppressing is NOT related of the previous shutdown which was actually successfully recovering of the botnet itself. It is kudos hard work of many IT security people who cares and work together in one coordination all over the globe for this threat. Nevertheless, even many people help and effort was achieved, Kelihos BotNet also perform a quick recovering by just released NEW ALIVE domains already in RegTime.NET (Russia FederationRegistrar) below, be free to confirm the registration date of this new domains as PoC. EJEXPOC,COM ABGYCWU,NET CESGUMU,ORG QYQANYB,BIZ GOTOREF,BIZ TOREMOA,COM *3) Securelist.com said "Most of the infected clients are located in Poland"* We al know that Ukraine, Russia Federation, Japan, India, Taiwan are the top of infected countries from the day one they recover… It is strongly suggest that the post in securelist.com is not confirming the actual situation… *4) **Securelist.com** wrote: "Victims have been disinfecting or reinstalling their PCs over time"* This is also a PoC that securelist.com as security maker's research entity does not update their actual data and used the outdated and announce it as recent…the "marketing" value is sensed under the blanket. New infection are actually popping up with the ALIVE payload.. opposing to the PC that was cured/fixed, each peers has more than 10+ payloads to spread with smaller number of payloads exists in the loader part.. well apparently secure list.com doesn't know this too. *Additional:* *For your information.* Our group, MalwareMustDie, NPO is obligated to conduct the contra-posting "the statement" posted with this real fact about what is really happen in Kelihos botnet since "the statement" is mis-leading the entities that are currently making hard effort in cleaning up the infection peer by peer all over the planet. The current status of Kelihos infection will be presented in Short Talk at BotConf 2013, in Nantes, France, Dec 2013. We are in purpose NOT posting / exposing any activities of this operation beforehand in any web format since the intelligence and hard work of law enforcement process in Europe and Russia Federation for its on going process to stop this threat for good. If security entity starting to state the wrong and misleading information, which is based not to the current and actual fact, then it is time for all of us to correct every mistakes made with the true counter statement like this. On behalf of the good engineers that gather in OP-Kelihos to suppress the botnet in daily basis, bind to the promise to keep silent about the OP, we are informing this mistake by this full disclosure announcement. These are the Video contains information of infection in monitoring that can reveal the evidence of infection volume, and you can see on how hard huge the infection is actually happen now as per listed in the youtube video link below: Kelihos Regional Infection (per country's) Online Monitor via Web<http://www.youtube.com/watch?v=-LNJsbYK6K8> How to View & Download the Archive of Kelihos Infection Monitoring Channel<http://www.youtube.com/watch?v=9uNcT9DwsYw> Kelihos Volume Monitoring Applet - Country base monitoring panel<http://www.youtube.com/watch?v=4r2FKMiXhwk> OP-Kelihos Team Rick of MalwareMustDie / @unixfreaxjp PGP/MIT.EDU: RSA 2048/0xEC61AB9 Query: 0xb9ad3d5bec61ab91 MalwareMustDie,NPO Research Group Web http://malwaremustdie.org Research blog: http://malwaremustdie.blogspot.com Wiki & Code: http://code.google.com/p/malwaremustdie/ Report Pastes: http://pastebin.com/u/MalwareMustDie
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status アドリアンヘンドリック (Nov 12)