End of An Era As Kelihos Botnet Operator Jailed
A Russian man pleaded guilty this week to running Kelihos, a botnet that for years helped facilitate a lengthy spam and credential-harvesting campaign.
A 38-year-old Russian man whom the Department of Justice alleges has been responsible for running botnets since the late 1990s pleaded guilty this week to several crimes related to operating the notorious Kelihos botnet, a network that was responsible for huge amounts of spam and ransomware over the last few years.
The plea is the end of a long road for both the botnet and Peter Levashov, the man accused of creating and running Kelihos and many other botnets. Kelihos first appeared back in 2010 and quickly gained notice for the volume of spam and malware it was spreading. Although it wasn’t huge in terms of the number of infected machines--usually in the tens of thousands--Kelihos caught the attention of security researchers and investigators because it was similar to a couple of existing botnets, Storm and Waledac. Both of those networks had been in operation for a few years at the time, and the Kelihos code was pretty similar to what they used.
But Kelihos was clearly a separate botnet and within a few months it became a major problem. Within a year of the botnet’s emergence, Microsoft officials executed a takedown of the network, taking over the C2 servers and filing civil charges against a group of individuals, many of whom were unnamed at the time. The takedown worked, but only for a while. New versions of Kelihos emerged a few more times, with researchers from Microsoft and Kaspersky Lab working to knock the botnet down again each time.
Mirai IoT Botnet Co-Authors Plead Guilty
Kelihos eventually faded from the headlines, but investigators continued to track the botnet’s activities as well as those of its operator. Eventually, in April 2017, law enforcement officials in Spain arrested Levashov and he was indicted in the United States a couple weeks later on charges connected to running Kelihos. U.S. officials also alleged that Levashov was responsible for operating the Waledac and Storm botnets and had been active in botnet circles for nearly 20 years.
“Mr. Levashov used the Kelihos botnet to distribute thousands of spam e-mails, harvest login credentials, and install malicious software on computers around the world,” said U.S. Attorney John H. Durham of the District of Connecticut.
“He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold. For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users.”
Kelihos, along with Waledac and Storm, operated at a time that was something of a golden age for botnets. Although botnets have been around since the early days of the public web, they really took off as tools for cybercriminals beginning in the mid-2000s. The availability of cheap broadband connections for consumers coupled with the emergence of high-quality malware for sale created a simple way for cybercriminals to build large networks of infected machines that could be used for whatever they chose. In a lot of cases, that meant distributing spam, running DDoS attacks for hire, or stealing sensitive information from compromised machines.
But by the end of the decade, law enforcement, security researchers, and large vendors began taking aim at botnets and were successful in taking many of them down. Many cybercriminals moved on to other pursuits--malicious cryptomining, mobile payment fraud, etc. Botnets are still out there and still causing damage, but Levashov’s guilty plea and eventual sentencing serve as a reminder of a time when they ruled the web.