US dismantles Kelihos botnet after Russian hacker's arrest

Peter Levashov has been accused of running the Kelihos botnet, according to the U.S.

botnet bots
Credit: Michael Kan

The arrest last week of a Russian man in Spain was apparently for his role in a massive spam botnet and not related to an ongoing investigation into foreign tampering with last year's U.S. election.

The botnet, called Kelihos, has enslaved hundreds of thousands of computers, and distributed spam and malware to users across the globe. However, the U.S. has taken action to dismantle the illegal operation, the Department of Justice said on Monday.

The arrest of 36-year-old Peter Yuryevich Levashov, the botnet's alleged operator, was at first thought to be related to the ongoing U.S. investigation of presidential election-related hacking, but the DOJ said on Monday that wasn't the case.

It didn't however reveal the charges against Levashov because the case remains under seal, but offered reporters documents that showed U.S. investigators obtained court orders to stop Levashov from controlling his botnet, which he had allegedly ran since 2010.

Levashov has been accused of infecting Windows PCs with malware to form a botnet, or a network of enslaved computers. Once enslaved, Levashov turned the PC into a mail server without the victim’s knowledge, the U.S. government claimed.

The Kelihos botnet has been found distributing hundreds of millions of spam emails, many of which were advertising counterfeit drugs, promoting penny stocks and work-at-home scams.

He was also suspected of using his botnet to distribute malware, including ransomware, which can hold an infected PC hostage, encrypting the data stored inside unless the owner pays a ransom.

Levashov harvested login credentials from infected PCs too. This was done to break into the users’ online bank accounts or to sneak into the victim’s email accounts to send out more spam. He had even helped other cybercriminals distribute malware in exchange for payment, U.S. investigators claim.

In building its case against Levashov, the FBI noticed that one of the botnet’s servers was constantly logging into an email account at mail.ru. That account was registered to a “Pete Levashov,” and was also associated with an Apple iCloud account under a similar name, according to an FBI filed court document.

To dismantle the Kelihos botnet, the U.S. is essentially severing the link between Levashov and his computers. It’s obtained a court order to redirect internet traffic from Kelihos-infected machines to a dummy server under the investigators’ control.

The FBI estimates the Kelihos botnet has between 25,000 and 100,000 computers currently under its control. About 5 to 10 percent reside in the U.S.

However, the U.S. steps to dismantle Kelihos should disrupt most of the botnet’s activities over the next few days, a Department of Justice official said. 

Users can use free antivirus tools such as Microsoft Safety Scanner to clear Kelihos-related malware from their PCs. Internet service providers will also be told which IP addresses have been found supporting the botnet's activities. 

Although the dismantling should be a major blow to Kelihos, the Justice Department hasn't said if others might have been involved in the botnet's activities.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: 10 new UI features coming to Windows 10