Kelihos botnet was first discovered in 2010 and since then it has been taken-down by various entities a number of times, however it has always managed to surfaced back.

Kelihos is a spam-bot which has a very unique hybrid peer-to-peer structure, wherein all the bots communicate with the Command and Control Servers by routing the requests through other nodes in the botnet and they themselves have the capability to function as a Command and Control Server. Under normal circumstances, a botnet is rendered useless by taking down the Command and Control Server, however, Kelihos, mitigates the risks associated with such take-downs due to its inherent design structure.


The root of all Kelihos begins with a spam campaign containing the malware links which trigger the download of a Trojan horse. During its initial days, Kelihos was used for initiating Denial of Service attacks and for sending spams. Later on it also started stealing bitcoins and bitcoin mining. The later versions of Kelihos propagated through Social Networking Sites viz. Facebook.

For the success of any Trojan / Exploit Kit / Botnet, it is imperative for the creators to provide regular updates to their Malware, so as to ensure that they stay ahead of their competitors and the security researchers.

Similar to Ransomware, Malware viz. info stealers, bots, Trojans have a very huge market in the Darkweb and the competition is very tough, since the objective is to ensure that

Resiliance – should be able to overcome the take-down and detection by various Security Products.

Should be better than their competitors viz. the features and the pricing.

Malwares, be it of any category, are taken-down on regular basis so as to either render it non-functional or to put an end to an on-going campaign. However, it is very rare when the creators / authors of these malwares are apprehended. Way back in December 2013, Paunch – the creator of the infamous Black-Hole Exploit Kit (BHEK) was arrested, which resulted in ensuring that BHEK will never get updated with the latest vulnerabilities.

A couple of days back, the creator of Kelihos, who incidentally is a Russian National, was arrested in Spain and Court Proceedings were initiated against him in the US Courts. The US Government also initiated a take-down of the botnet, which requires the authorities to implement peer-poisoning so as to effectively pull down the entire botnet.

When we take a look at the history, it has been observed that a take-down is successful only after the arrest of the creator. And as of this moment we too expect the same with Kelihos. However, the entire process of arresting the creator is fraught with cross-border legalities, since the jurisdiction of the crime is diversified and the perpetrator might be residing in a different country. In these scenarios, the Law Enforcement Agencies have a crucial role to play since; they have to interact with their counter-parts who are governed by different set of Laws.

For ages, since the advent of Internet and the subsequent rise of cyber-crime, every country has adopted Cyber-Laws in some form or the other and these Laws are applicable for their respective states. However, when cases are International in nature, the only factor which plays an important role in apprehending the perpetrators is the relationship between the two countries vis-à-vis the treaties related to tackling such cases.

Criminals are well aware of these facts and have always tried maintaining their anonymity and most of the times try to operate from countries from where the victim countries would find it impossible to conduct any tangible action.

As most of the cross-border arrests of High Profile Cyber-Criminals have been done by US and many a times, US Law Enforcement has lured the perpetrators to fall into their traps. However, when the perpetrators are state-sponsored then there is nothing that anyone can do.

As long as, borders exist, cyber-criminals would reap huge benefits.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: