A joint announcement from the FBI, the Department of Justice Criminal Division, and the FBI Anchorage Criminal Division released information on an extensive operation to disrupt the Kelihos botnet. Additionally, they announced that the US government will continue to share samples of the Kelihos botnet with the internet security community. The target in doing so is to keep antivirus software up-to-date with respect to current malware. “Many paid and free programs” already possess the capability to catch Kelihos activity, the announcement said.
The release pointed to the Microsoft Safety Scanner as one of the few free antivirus programs capable of detecting the malware. And this comes at a fitting moment, given the malware targets vulnerable Windows machines. Other suspected connections to Windows once existed but have since vanished, thanks to the release of various court documents.
According to Acting Assistant Attorney General Blanco, Kelihos sent out hundreds of millions of fraudulent emails, “intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.” He continued by explaining how great the threat Kelihos posed to general infrastructure. “The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives.”
On April 8, 2017, the FBI started blocking domains associated with the botnet. FBI Special Agent in Charge Marlin Ritzman of the Anchorage Division said that blocking those domains was the first step in successfully combating the mandate and protecting American people.
Despite the fact that this announcement and relevant operation referred to US residents alone, authorities recognized the threat the botnet posed an international threat as well. “Cybercrime is a worldwide problem, but one that infects its victims directly through the computers and personal electronic devices that we use every day,” Acting U.S. Attorney Bryan Schroder for the District of Alaska announced.
Peter Yuryevich Levashov, according to the Criminal Complaint, operated the botnet since 2010. The documentation alleged that Levashov intercepted network traffic and then harvested user credentials from said traffic. He then—again, according to the Criminal Complaint—advertised his so-called “spamming operation on various online criminal forums.”
The main complaint against the botnet and therefore Levashov, in the announcement, was that it “generated and distributed enormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price, work-at-home scams, and other frauds.” Levashov did, of course, steal banking credentials too.
A mention of Rule 41 appeared in the release; the warrant used to disrupt the botnet came as a direct result of Rule 41, the announcement detailed. The warrant allows law enforcement to intercept and reroute network activity from infected machines.
The rerouted internet traffic provided law enforcement with IP addresses associated with the botnet. They then passed those IP addresses on to internet service providers. This law came under heavy scrutiny at the peak of some of the PlayPen cases—the FBI’s illegal hacking, if Rule 41 was instated at the time, would not have been illegal.
Per the release:
“Law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. […] The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”
(Emphasis added by the author to reflect the immediately relevant portion.)
The federal government released court documents, including the Criminal Complaint and warrant application. They redacted several elements documents entering and shine in part. However, this is one of the few Rule 41 warrants at this scale that the government publicized.