DoJ Takes Action to Dismantle Kelihos Botnet

April 11, 2017

The Justice Department has made an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software.

Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division, Acting U.S. Attorney Bryan Schroder for the District of Alaska, Assistant Director Scott Smith for the FBI’s Cyber Division and FBI Special Agent in Charge Marlin Ritzman of the Anchorage Division made the announcement.

“The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks. The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Blanco. “Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics. The Department of Justice is committed to combatting cybercrime, no matter the size or sophistication of the scheme, and to punish those who are engaged in such crimes.”

“Cybercrime is a worldwide problem, but one that infects its victims directly through the computers and personal electronic devices that we use every day,” said Acting U.S. Attorney Bryan Schroder for the District of Alaska. “Protecting the American people from such a worldwide threat requires a broad-reaching response, and the dismantling of the Kelihos botnet was such an operation. We are lucky that we have talented FBI agents and federal prosecutors with the skillsets to help protect Americans from this pervasive cybercrime.”

“On April 8, 2017, we started the extraordinary task of blocking malicious domains associated with the Khelios botnet to prohibit further infections,” said FBI Special Agent in Charge Ritzman. “This case demonstrates the FBI’s commitment to finding and eradicating cyber threats no matter where they are in the world.”

Kelihos malware targeted computers running the Microsoft Windows operating system. Infected computers became part of a network of compromised computers known as a botnet and were controlled remotely through a decentralized command and control system. According to the civil complaint, Peter Yuryevich Levashov allegedly operated the Kelihos botnet since approximately 2010. The Kelihos malware harvested user credentials by searching infected computers for usernames and passwords and by intercepting network traffic. Levashov allegedly used the information gained from this credential harvesting operation to further his illegal spamming operation which he advertised on various online criminal forums. The Kelihos botnet generated and distributed enormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price (so-called “pump-and-dump” stock fraud schemes), work-at-home scams, and other frauds. Kelihos was also responsible for directly installing additional malware onto victims’ computers, including ransomware and malware that intercepts users’ bank account passwords.

As with other botnets, Kelihos is designed to operate automatically and undetected on victims’ computers, with the malicious code secretly sending requests for instructions to the botnet operator. In order to liberate the victim computers from the botnet, the United States obtained civil and criminal court orders in the District of Alaska. These orders authorized measures to neutralize the Kelihos botnet by (1) establishing substitute servers that receive the automated requests for instructions so that infected computers no longer communicate with the criminal operator and (2) blocking any commands sent from the criminal operator attempting to regain control of the infected computers.

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. A copy of this warrant along with the other court orders are produced below. The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

The efforts to disrupt and dismantle the Kelihos botnet were led by the FBI’s Anchorage Office and New Haven Office; Senior Counsel Ethan Arenson and Harold Chun, and Trial Attorney Frank Lin of the Computer Crime and Intellectual Property Section; and Assistant U.S. Attorneys Yvonne Lamoureux and Adam Alexander of the District of Alaska. Critical assistance was also provided by foreign partners, and invaluable technical assistance was provided by Crowd Strike and The Shadow server Foundation in executing this operation.

The details contained in the civil complaint and related pleadings are merely accusations, and the defendant is presumed innocent unless and until proven guilty.

The Government has and will continue to share samples of the Kelihos malware with the internet security community so that antivirus vendors can update their programs to detect and remove Kelihos. A number of free and paid antivirus programs are already capable of detecting and removing Kelihos, including the Microsoft Safety Scanner(link is external), a free product.