Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kelihos Relying On CBL Blacklists To Evaluate New Bots

samzenpus posted about a year ago | from the make-your-time dept.

Botnet 23

Gunkerty Jeb writes "Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins. According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim's IP address has previously been flagged as a spam source or as a proxy."

cancel ×


Even bot-writers have to get modern eventually (5, Insightful)

gweihir (88907) | about a year ago | (#44714737)

Real-time block lists have been the standard for blocking spam for quite a while. There is nothing new here, just some bot-net developers finally catching up.

I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.

Spam is good! (2)

Greg Allen (3008951) | about a year ago | (#44714855)

Just send out loads of spam from your PC, or self-nominate your IP as a source of spam to get yourself immunity from the smart bots.

Re:Spam is good! (4, Informative)

Zocalo (252965) | about 10 months ago | (#44715173)

Chances are that the CBL check is just to determine whether the compromised PC is likely to be useful for sending spam or not. If the check comes back with a positive listing, then the PC will simply be used for other things such as launching DDoS attacks, hosting support services and so on. If you want to try and make a PC useless to smart bots, or as near as it can be, in the event of a compromise then robust egress filtering of outbound connections is a far better way to go. As a bonus the logs from your egress filters should also make it much easier to detect when hosts have been compromised so that you can deal with them promptly.

Re: Spam is good! (1)

DigiShaman (671371) | about a year ago | (#44724259)

In other words: Admins should be restricting all outbound SMTP traffic (port 25) to everything inside the network except the e-mail server itself.

Need the ability to POP email out?Use an SSL connection. Done!

What is Google ? Something different ? (-1, Troll)

wakely (3035355) | about a year ago | (#44714913)

Stealing Bitcoins and pushing spam. Bah, what is Google [] about ? Stealing data and pushing their spam on first position.

Re:What is Google ? Something different ? (1, Insightful)

dreamchaser (49529) | about 10 months ago | (#44715025)

Stealing Bitcoins and pushing spam. Bah, what is Google [] about ? Stealing data and pushing their spam on first position.

Google doesn't 'steal' anything. They make it perfectly clear what their privacy policy is. They also don't push spam. They're an advertising company. They give people free services. Those people who choose to use those services are agreeing to their terms.

Re:What is Google ? Something different ? (0)

mythix (2589549) | about 10 months ago | (#44715055)

If I send an email to a gmail account, from a non gmail account, I did not agree to anything. Still they scan my message, and probably keep, use or sell the info they harvested.

Re:What is Google ? Something different ? (2)

kqs (1038910) | about 10 months ago | (#44715123)

If I send a letter through the Postal Service to my friend Alex, then Alex can show the letter to other people, or even have a service open the letter to sort it and to throw away circulars and junk mail. OH NOES ALEX IS INFRINGING MY RIGHTS. And according to you, so are anti-spam systems.

Also, do you have any proof that Google sells information about anyone, or are you just confused and ranting?

Re:What is Google ? Something different ? (3, Insightful)

Overzeetop (214511) | about 10 months ago | (#44715133)

Trust requires two people. If you don't trust the party on the other end, you shouldn't be sending them email. It's not the only way to communicate.

Re:What is Google ? Something different ? (1)

bmo (77928) | about 10 months ago | (#44716603)

Then blacklist gmail from your outgoing mail.

Wow, that was difficult.

But where does it end? Do you read the privacy policies of all your recipients' hosts? How many hours are in your day? Do you include that useless-as-tits-on-a-bull "this is proprietary information blah blah blah" legal "disclaimer" on the bottom of your email?

Where does your insanity end?


Kelihos, the peer-to-peer botnet (3)

dgharmon (2564621) | about a year ago | (#44714937)

Shouldn't that be Kelihos [] , the peer-to-peer Windows botnet ..

So what? (1)

horm (2802801) | about a year ago | (#44714965)

They're using these blacklist services for exactly what they're intended for: to determine if certain hosts are known to be sources of spam. It's not like they're leaking information they didn't intend to distribute.

Re:So what? (1)

Anonymous Coward | about 10 months ago | (#44715081)

I agree, all this will do is add more IPs to the spam databases, and in my opinion, that's probably a good thing. The only downfall I can see with this is making the virus sleep or attempt to obtain new IP addresses until its not blacklisted, but I don't see that being a problem in practice either, because residential users shouldn't be sending mail anyways, and businesses should be monitoring their mail servers and firewalls.

re : Christina lauras (-1)

Anonymous Coward | about a year ago | (#44714977)

I have to say I am ambivalent about this. On the one hand, it will taint a number of IP addresses (or whole subnets if the RBL provider is stupid, and some are). On the other hand, it will drive home the point that server security is non-optional, which is a good thing.
__ []

Blocklists @ BOTH IP & host-domain levels (1, Informative)

Anonymous Coward | about 10 months ago | (#44715063)

For firewall blocklists AND hosts files users block lists also: []

* Enjoy!


P.S.=> It's a COMPLETE RUNDOWN of what the Kelihos botnet utilizes (and thus, what to blockout @ BOTH the firewall &/or custom hosts file levels for "layered-security"/"defense-in-depth")...

... apk

How's my post off-topic/Why downmod? (-1)

Anonymous Coward | about 10 months ago | (#44716055)

Whoever downmodded my post = fool: It's meant for YOUR use in protecting yourselves & others!

* To the downmodder - How STUPID could you be?

(OR, are you the botnet master of Kelihos *trying* to "hide" information that can screw you up?)

Take your pick, on that note...


To admins here:

Blocking me from replying afterwards as well, when I've only made 1 post today? Please - wtf is THAT about also??

Clue/New NEWS/NewsFlash: I was *trying* to be helpful, for Pete's sake!


In closing, all I can say, is this (& I'm not doing the saying of it):

"Someone asked him 'why', & he said 'The people that are trying to make this world worse are not taking a day off: How can I?" - Dr. Robert Neville, I AM LEGEND.

(Get THAT through you heads...)


P.S.=> Lastly (as to my posts' content): It's also FAR from "off-topic" since that page lists Kelihos ENTIRE C&C structure, bogus DNS servers, & more!

(To blockout for protection in BOTH firewalls rules tables &/or custom hosts files in "layered-security"/"defense-in-depth" fashion - especially since this thing puts in firewall rules of its own!)

... apk

Re:How's my post off-topic/Why downmod? (0)

Anonymous Coward | about 10 months ago | (#44719927)

1. Go look up "persona non grata", which is what you've made yourself here, thanks to the flood of long-winded missives about hosts files and your crappy host files app that you've polluted countless ./ discussions with.

2. Go die in a fire.

Funny how I ended up + 1 Informative then (0)

Anonymous Coward | about a year ago | (#44723019)

You're welcome to disprove what I state my program does here:


APK Hosts File Engine 9.0++ 32/64-bit: []


* In the enumerated list of 17 points there where they extoll how custom hosts files gain users of them better added speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious hosts-domains serving mal-content + block spam/phish links), reliability (vs. downed DNS or vs. Kaminsky vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's)


P.S.=> You failed in your downmod, & you'll FAIL @ disproving those facts as well (despite your attempt @ applying unjustifiable downmods to my posts)...apk

Re:How's my post off-topic/Why downmod? (0)

Anonymous Coward | about a year ago | (#44723175)

If apk's program = crappy, then prove how it is here [] where you're given a fair challenge to disprove his points on the value of custom hosts files then.

Funniest part's I didn't note my app (0)

Anonymous Coward | about a year ago | (#44723685)

Even funnier was my being modded up in my 1st post in the end to "+1 Informative" -> [] in the end.

Despite the troll moron's UNJUSTIFIABLE downmod he applied using his registered 'luser' account, & then trolling by AC!

(It's a KNOWN big weakness of /.'s foruns (along with being able to create 100's of 'sockpuppet' fake registered luser accounts for upmodding themselves & downmodding others they don't like - which the troll you replied to probably does also, "HBGary/Chinese Water Army" style))!

So, in the end?

You're right: Thus, Troll can NOW disprove what I do state my custom hosts file program yields, as I challenged that TRULY cowardly ac troll to do here -> []

(Which he WON'T be able to do - As 100's like him have tried, not a SINGLE ONE has been successful! Not even ONCE...)


P.S.=> Yes, folks: It's NOT EASY being "world-class" like myself creating useful programs that've done well for decades++ in the freeware/shareware world (ontop of enterprise-class/mission crtical data systems & commercial wares on my end professionally also), & By STOMPING trolls, with facts/truth (hence his "geek angst" ridden reply he can't 'backup his b.s.' with vs. my simple challenge to him above), lol... apk

Re:How's my post off-topic/Why downmod? (0)

Anonymous Coward | about a year ago | (#44725637)

/.ers post redundant advertiser owned crippled by default addons in Adblock, Ghostery, RequestPolicy, SpamAssasin etc. by comparison to hosts files that do more for less. So apk can post what he likes too if they can. You don't own this site troll, get over it. Use your time wisely helping others as apk has instead, or is that beyond your limited intellect, abilities\means? Obviously it is and all you can do is troll by anonymous coward posts and apply bad downmods rather than be constructive. Sucks to be you.

50++ /.'ers disagree with you troll (0)

Anonymous Coward | about a year ago | (#44843229) [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []

* :)

(Opinions CLEARLY vary (vs. yours, troll...)).


P.S.=> You FAIL, outnumbered by 50++ of your /. peers & out-thought by myself (with proof above & I can produce a 100 more easily)... apk

composite blocking lists (1)

Livius (318358) | about 10 months ago | (#44719753)

I wondered what kind of black listing the Canadian Baseball League was up to.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account