Forgot your password?
typodupeerror
Botnet Security

Kelihos Relying On CBL Blacklists To Evaluate New Bots 23

Posted by samzenpus
from the make-your-time dept.
Gunkerty Jeb writes "Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins. According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim's IP address has previously been flagged as a spam source or as a proxy."
This discussion has been archived. No new comments can be posted.

Kelihos Relying On CBL Blacklists To Evaluate New Bots

Comments Filter:
  • by gweihir (88907) on Friday August 30, 2013 @05:45AM (#44714737)

    Real-time block lists have been the standard for blocking spam for quite a while. There is nothing new here, just some bot-net developers finally catching up.

    I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.

  • Just send out loads of spam from your PC, or self-nominate your IP as a source of spam to get yourself immunity from the smart bots.
    • Re:Spam is good! (Score:5, Informative)

      by Zocalo (252965) on Friday August 30, 2013 @07:53AM (#44715173) Homepage
      Chances are that the CBL check is just to determine whether the compromised PC is likely to be useful for sending spam or not. If the check comes back with a positive listing, then the PC will simply be used for other things such as launching DDoS attacks, hosting support services and so on. If you want to try and make a PC useless to smart bots, or as near as it can be, in the event of a compromise then robust egress filtering of outbound connections is a far better way to go. As a bonus the logs from your egress filters should also make it much easier to detect when hosts have been compromised so that you can deal with them promptly.
      • In other words: Admins should be restricting all outbound SMTP traffic (port 25) to everything inside the network except the e-mail server itself.

        Need the ability to POP email out?Use an SSL connection. Done!

  • by dgharmon (2564621) on Friday August 30, 2013 @06:49AM (#44714937) Homepage
    Shouldn't that be Kelihos [virusradar.com], the peer-to-peer Windows botnet ..
  • They're using these blacklist services for exactly what they're intended for: to determine if certain hosts are known to be sources of spam. It's not like they're leaking information they didn't intend to distribute.
    • by Anonymous Coward

      I agree, all this will do is add more IPs to the spam databases, and in my opinion, that's probably a good thing. The only downfall I can see with this is making the virus sleep or attempt to obtain new IP addresses until its not blacklisted, but I don't see that being a problem in practice either, because residential users shouldn't be sending mail anyways, and businesses should be monitoring their mail servers and firewalls.

  • by Anonymous Coward

    For firewall blocklists AND hosts files users block lists also:

    http://malwaremustdie.blogspot.com/2013/08/the-quick-report-on-48hours-in-battle.html [blogspot.com]

    * Enjoy!

    APK

    P.S.=> It's a COMPLETE RUNDOWN of what the Kelihos botnet utilizes (and thus, what to blockout @ BOTH the firewall &/or custom hosts file levels for "layered-security"/"defense-in-depth")...

    ... apk

  • I wondered what kind of black listing the Canadian Baseball League was up to.

Somebody ought to cross ball point pens with coat hangers so that the pens will multiply instead of disappear.

Working...