[Full-disclosure] Securelist.com (Kaspersky) released a misleading information about Kelihos Botnet actual status
unixfreaxjp22 at gmail.com
Wed Nov 13 06:50:57 GMT 2013
Securelist.com (Kaspersky) released a wrong and mis-leading information
about current status of Kelihos Botnet:
*1) Securelist.com wrote: At the moment we're counting about 1000 unique
bots on average per month*
Below is the CnC volume infected peer botnet of Kelihos in Actual
Monitoring counter, up to today.
Even per Country's infection data stated below is exceeding 1,000...
Our online monitoring shows the real fact about the volume...
*2) Because of what "they" claimed they did.. the Kelihos is smaller
As per you know, the above 1) growth is still happening, even NOW we keep
on suspending, sinkholing new domains their used for spreading payload
(which it is encrypted in their job servers to CnC layer to be sent to peer
for infection upgrade) in time-to-time basis, with total now is exceeded
800+ domains from August 6th to Yesterday.
The effort of current suppressing is NOT related of the previous shutdown
which was actually successfully recovering of the botnet itself. It is
kudos hard work of many IT security people who cares and work together in
one coordination all over the globe for this threat.
Nevertheless, even many people help and effort was achieved, Kelihos BotNet
also perform a quick recovering by just released NEW ALIVE domains already
in RegTime.NET (Russia FederationRegistrar) below, be free to confirm the
registration date of this new domains as PoC.
*3) Securelist.com said "Most of the infected clients are located in
We al know that Ukraine, Russia Federation, Japan, India, Taiwan are the
top of infected countries from the day one they recover…
It is strongly suggest that the post in securelist.com is not confirming
the actual situation…
*4) **Securelist.com** wrote: "Victims have been disinfecting or
reinstalling their PCs over time"*
This is also a PoC that securelist.com as security maker's research entity
does not update their actual data and used the outdated and announce it as
recent…the "marketing" value is sensed under the blanket.
New infection are actually popping up with the ALIVE payload.. opposing to
the PC that was cured/fixed, each peers has more than 10+ payloads to
spread with smaller number of payloads exists in the loader part.. well
apparently secure list.com doesn't know this too.
*For your information.*
Our group, MalwareMustDie, NPO is obligated to conduct the contra-posting
"the statement" posted with this real fact about what is really happen in
Kelihos botnet since "the statement" is mis-leading the entities that are
currently making hard effort in cleaning up the infection peer by peer all
over the planet.
The current status of Kelihos infection will be presented in Short Talk at
BotConf 2013, in Nantes, France, Dec 2013.
We are in purpose NOT posting / exposing any activities of this operation
beforehand in any web format since the intelligence and hard work of law
enforcement process in Europe and Russia Federation for its on going
process to stop this threat for good.
If security entity starting to state the wrong and misleading information,
which is based not to the current and actual fact, then it is time for all
of us to correct every mistakes made with the true counter statement like
On behalf of the good engineers that gather in OP-Kelihos to suppress the
botnet in daily basis, bind to the promise to keep silent about the OP, we
are informing this mistake by this full disclosure announcement.
These are the Video contains information of infection in monitoring that
can reveal the evidence of infection volume, and you can see on how hard
huge the infection is actually happen now as per listed in the youtube
video link below:
Kelihos Regional Infection (per country's) Online Monitor via
How to View & Download the Archive of Kelihos Infection Monitoring
Kelihos Volume Monitoring Applet - Country base monitoring
Rick of MalwareMustDie / @unixfreaxjp
PGP/MIT.EDU: RSA 2048/0xEC61AB9
MalwareMustDie,NPO Research Group
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.