lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 13 Nov 2013 15:50:57 +0900
From: アドリアンヘンドリック
 <unixfreaxjp22@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Securelist.com (Kaspersky) released a misleading
 information about Kelihos Botnet actual status

Securelist.com (Kaspersky) released a wrong and mis-leading information
about current status of Kelihos Botnet:
http://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_happened

*1) Securelist.com wrote: At the moment we're counting about 1000 unique
bots on average per month*

Below is the CnC volume infected peer botnet of Kelihos in Actual
Monitoring counter, up to today.
Even per Country's infection data stated below is exceeding 1,000...

1231  PL
1710  RO
2398  BY
4051  KZ
4615  TW
6037  IN
9823  JP
18158 RU
52825 UA

Our online monitoring shows the real fact about the volume...

*2) Because of what "they" claimed they did.. the Kelihos is smaller
now….hmm..(?)*

As per you know, the above 1) growth is still happening, even NOW we keep
on suspending, sinkholing new domains their used for spreading payload
(which it is encrypted in their job servers to CnC layer to be sent to peer
for infection upgrade) in time-to-time basis, with total now is exceeded
800+ domains from August 6th to Yesterday.
The effort of current suppressing is NOT related of the previous shutdown
which was actually successfully recovering of the botnet itself. It is
 kudos hard work of many IT security people who cares and work together in
one coordination all over the globe for this threat.
Nevertheless, even many people help and effort was achieved, Kelihos BotNet
also perform a quick recovering by just released NEW ALIVE domains already
in RegTime.NET (Russia FederationRegistrar) below, be free to confirm the
registration date of this new domains as PoC.

EJEXPOC,COM
ABGYCWU,NET
CESGUMU,ORG
QYQANYB,BIZ
GOTOREF,BIZ
TOREMOA,COM

*3) Securelist.com said "Most of the infected clients are located in
Poland"*

We al know that Ukraine, Russia Federation, Japan, India, Taiwan are the
top of infected countries from the day one they recover…
It is strongly suggest that the post in securelist.com is not confirming
the actual situation…

*4) **Securelist.com** wrote: "Victims have been disinfecting or
reinstalling their PCs over time"*

This is also a PoC that securelist.com as security maker's research entity
does not update their actual data and used the outdated and announce it as
recent…the "marketing" value is sensed under the blanket.
New infection are actually popping up with the ALIVE payload.. opposing to
the PC that was cured/fixed, each peers has more than 10+ payloads to
spread with smaller  number of payloads exists in the loader part.. well
apparently secure list.com doesn't know this too.

*Additional:*

*For your information.*

Our group, MalwareMustDie, NPO is obligated to conduct the contra-posting
"the statement" posted with this real fact about what is really happen in
Kelihos botnet since "the statement" is mis-leading the entities that are
currently making hard effort in cleaning up the infection peer by peer all
over the planet.

The current status of Kelihos infection will be presented in Short Talk at
BotConf 2013, in Nantes, France, Dec 2013.

We are in purpose NOT posting / exposing any activities of this operation
beforehand in any web format since the intelligence and hard work of law
enforcement process in Europe and Russia Federation for its on going
process to stop this threat for good.

If security entity starting to state the wrong and misleading information,
which is based not to the current and actual fact, then it is time for all
of us to  correct every mistakes made with the true counter statement like
this.

On behalf of the good engineers that gather in OP-Kelihos to suppress the
botnet in daily basis, bind to the promise to keep silent about the OP, we
are informing this mistake by this full disclosure announcement.

These are the Video contains information of infection in monitoring that
can reveal the evidence of infection volume, and you can see on how hard
huge the infection is actually happen now as per listed in the youtube
video link below:
Kelihos Regional Infection (per country's) Online Monitor via
Web<http://www.youtube.com/watch?v=-LNJsbYK6K8>

How to View & Download the Archive of Kelihos Infection Monitoring
Channel<http://www.youtube.com/watch?v=9uNcT9DwsYw>

Kelihos Volume Monitoring Applet - Country base monitoring
panel<http://www.youtube.com/watch?v=4r2FKMiXhwk>


OP-Kelihos Team

Rick of MalwareMustDie / @unixfreaxjp
PGP/MIT.EDU: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ