FYI...Spambot Kelihos update
Dec 10, 2012 - "... a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012. Various security researchers believe that Kelihos
(also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009...Infecting removable drives
: ... Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10...Switching from .eu to .ru
: Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru...The rise of Kelihos
: If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day. But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate
So what can a network administrator do to mitigate this threat?
• Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
• Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
• Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
• Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
• Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ* ..."