We could say much more about the Kelihos botnet. For example, the code seems to be derived and recycled from or other malicious code close to Waledac variants. We have detected some evidence of Infostealer activities targeting well-known FTP clients, the presence of a routine that acts like a Bitcoin wallet stealer, and a list of suspicious User Agents used by the bot to contact its command and control and other peers machines. Anyway, the most important thing derived from this analysis is that we have retrieved the entire list of the command and control systems.
Carl Leonard is Senior Security Research Manager (EMEA), Websense Security Labs.
Sign up for MIS Asia eNewsletters.