Kelihos kingpin pleads guilty in US court to notorious botnet

Russian man accused of running Kelihos botnet pleads guilty

In its heyday, Kelihos comprised up to 100,000 compromised devices that were capable of blasting out billions of malware-laden emails every day

In its heyday, Kelihos comprised up to 100,000 compromised devices that were capable of blasting out billions of malware-laden emails every day

A Russian national has pleaded guilty in a US court to operating Kelihos, one of the longest-running and most pernicious botnets that was used, for almost seven years, to send untold numbers of spam emails, pilfer login credentials, and compromise countless computers with banking Trojans, ransomware, and other malicious software.

Peter Levashov, 38, admitted guilt to fraud, conspiracy, computer crime, and identity theft offenses, according to a statement by the US Justice Department.

Kelihos was first discovered in late 2010 and operated until US authorities shut it down nearly seven years later. The takedown operation was announced on April 10, 2017, only a day after Levashov himself was nabbed while vacationing with his family in Spain. The sting operation marked the conclusion of an FBI-led investigation that spanned more than ten years. In February of this year, Spain turned over Levashov to US authorities, while snubbing Russia’s competing extradition request.

Levashov is believed to be a veteran botnet operator who has been behind at least another two massive botnets since the late 1990s. He was charged by US authorities back in 2009 with offenses stemming from operating a precursor to Kelihos called Storm and another closely-related spam behemoth called Waledac.

A typical “pharmaceutical website“ promoted through spam disseminated by Kelihos

“For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams,” said Assistant Attorney General Benczkowski in the statement this week.

US authorities also allege that Levashov is behind the online handle of “Severa”, or “Peter Severa”, which was a major presence in many Russian-language cybercrime forums, especially those where malware and stolen credit cards and identities were traded. In fact, Levashov is thought to have made the bulk of his income from renting out his botnets to fellow spammers and other cybercriminals. As per legal documents, he rented out Kelihos for just $200 to $500 for sending one million spam messages.

The sentencing isn’t due until next September. According to Bloomberg referencing Levashov’s attorney Vadim Glozman, the rather distant date is not because his client would be willing to cooperate with the authorities with an eye towards getting leniency. Prosecutors are seeking a jail sentence of 52 years for Levashov.

ESET researchers described some of the characteristics and campaigns wrought by Storm/Kelihos in a paper called “Same botnet, same guys, new code”.

Discussion