Home / malwarePDF  

Win32/Kelihos


First posted on 28 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for Win32/Kelihos.

Explanation :

Win32/Kelihos is a trojan family that distributes spam email messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos malware. The malware may communicate with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.


Top

Win32/Kelihos is a trojan family that distributes spam email messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos malware. The malware may communicate with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.



Installation

When run, Win32/Kelihos creates a shared memory object, or "section object", named "GoogleImpl" to ensure only one instance of the trojan executes at a time. The registry is modified to run Win32/Kelihos at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "SmartIndex"
With data: "<path and file name of Win32/Kelihos trojan>"

Some variants may also install WinPcap, a legitimate and commonly used Windows packet capture library, as the following files:

  • <system folder>\packet.dll
  • <system folder>\wpcap.dll
  • <system folder>\drivers\npf.sys


These files are not malicious themselves, but Kelihos uses them to spy on the affected computer€™s network activities.



Payload

Communicates with a remote host
Win32/Kelihos exchanges encrypted messages with a remote server via HTTP protocol (TCP 80) to evade detection by security software or other filters. Some variants of the malware use a crafted User-Agent from the following list when communicating with the remote host:

  • Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
  • Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
  • Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
  • Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
  • Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
  • Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
  • Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
  • Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
  • Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
  • Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
  • Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
  • Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
  • Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
  • Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  • Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
  • Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
  • Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
  • Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
  • Microsoft Internet Explorer/1.0 (Windows 95)


Data received from the remote server is interpreted by Win32/Kelihos and could contain instructions for the malware to perform any number of actions, including but not limited to the following:

  • Update a list of possibly compromised computers that the malware communicates and exchanges information with
  • Send spam email messages
  • Capture sensitive information
  • Send notifications or reports
  • Download and execute arbitrary files


Sends spam
Win32/Kelihos uses SMTP to send spam email messages that are constructed based on certain templates and other data received from a remote server. The subject, body and contents of the spam email vary and can be updated at any time.Win32/Kelihos may have more than one spam campaign running at the same time. Win32/Kelihos may harvest email addresses from the affected computer's local drive by searching within certain files. It avoids searching within certain file types, including the following:

  • .7z
  • .avi
  • .bmp
  • .class
  • .dll
  • .exe
  • .gif
  • .gz
  • .hxd
  • .hxh
  • .hxn
  • .hxw
  • .jar
  • .jpeg
  • .jpg
  • .mov
  • .mp3
  • .msi
  • .ocx
  • .ogg
  • .png
  • .rar
  • .vob
  • .wav
  • .wave
  • .wma
  • .wmv
  • .zip


The harvested email addresses are used as potential recipients for spam email messages distributed by Win32/Kelihos.

Captures sensitive information
Variants of Win32/Kelihos may use WinPcap to monitor network traffic and capture information such as login credentials from FTP, POP3 and SMTP traffic. In addition, Kelihos checks for the presence of the following applications in the affected computer and attempts to steal login credentials, digital currency and other information:

  • 32-bit FTP
  • Bitcoin
  • BitKinex
  • Bullet Proof FTP
  • BulletProof FTP Client
  • Classic FTP
  • Core FTP
  • CoreFTP
  • CuteFTP
  • Directory Opus
  • FAR Manager
  • FFFTP
  • FTP Commander
  • FTP Commander Deluxe
  • FTP Commander Pro
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTPRush
  • FileZilla
  • FlashFXP
  • Fling
  • Fling FTP
  • Frigate3
  • Frigate3 FTP
  • LeapFTP
  • NetDrive
  • SecureFX
  • SmartFTP
  • SoftX FTP Client
  • Sota FFFTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • WS_FTP
  • WebDrive
  • WebSitePublisher
  • WinSCP




Analysis by Gilou Tenebro

Last update 28 September 2011

 

TOP