There is has been a recent surge in security blogs warning users to be extra cautious of a new spin on an old threat. Kelihos is a botnet which utilizes P2P communication to maintain its CnC Network. With all of the attention around Kelihos, it should be no surprise that 30/45 AV vendors are detecting the latest installer. I took some time to analyze recent threat reports that came through our malicious/suspicious files queue, to see if I could find anything to add. It didn't take long to find a now infamous iteration of this botnet installer in action. In particular, I found a file called "rasta01.exe".
Besides the common naming convention of this threat, there are many other factors which gave this infection away at a glance. Firstly, the use of P2P style communication via SMTP raised an eyebrow. This particular instance called out to 159 distinct IP addresses.
|Everything you need to monitor packets is created/dropped here.|
|References to CBL's from each location will determine what role the victim plays in the botnet.|