US targets ‘botnet’ after Russian held
Source of criminal activity
WASHINGTON, April 11, (Agencies): The US Justice Department said on Monday it had launched an effort to take down the Kelihos botnet, a global network of tens of thousands of infected computers it claims was operated by a Russian national who was arrested in Spain over the weekend.
Peter Yuryevich Levashov operated the Kelihos botnet that infected computers running Microsoft Corp’s Windows operating system since approximately 2010, the Justice Department said.
A criminal case against Levashov by the Justice Department remains under seal, but on Monday the department announced a civil complaint intended to block spam from the botnet.
Russian-state media service RT reported Levashov was taken into custody in Spain over the weekend on a US warrant.
It was not known if Levashov had an attorney. The Russian Embassy in Washington was not immediately available for comment.
Levashov, who has long been considered the likely identity of an online persona known as Peter Severa, spent years listed as among the world’s 10 most prolific computer spammers by Spamhaus, a spam-tracking group.
RT quoted Levashov’s wife as saying he was arrested on charges stemming from the US government’s belief that Russia interfered in last year’s US election to help President win. Russia has denied interfering in the US election.
A Justice Department official, who spoke to reporters on condition of anonymity, said on Monday the current action against the botnet was not related to the election.
The Kelihos botnet has been a source of criminal activity targeting computer users worldwide since at least 2010, the official said.
The botnet at times grew larger than 100,000 simultaneously infected devices to carry out various spam attacks, including pump-and-dump stock schemes, password thefts and injecting various forms of malware, including ransomware, into target devices, the official said. Botnets are often rented out for multiple criminal uses as well.
Trump
Victim
In order to liberate the “victim” computers, the United States obtained court orders to take measures to neutralize the Kelihos botnet, including establishing substitute servers and blocking commands sent from the botnet operator, the department said.
Three previous versions of Kelihos had been taken down, but each time it was able to grow back with improvements that made it more resilient.
The biggest problem was that in the most recent iterations, individual infected computers could update each other with new code, so that just taking down the few command servers was insufficient.
Law enforcement got technical help from private security firm CrowdStrike Inc in analyzing the code as it evolved, and analysts there discovered a flaw in the program’s method for distributing lists of other infected machines to contact.
“We were able to take over the propagation of that list, so the malware-infected hosts were not able to get updates” from each other, said Adam Meyers, Vice-President of Intelligence at CrowdStrike.
The Kelihos operation was the first targeting a botnet to use a recent judicial rule change that allows the Federal Bureau of Investigation to obtain a sole search warrant to remotely access computers located in any jurisdiction, potentially even overseas, a Justice Department spokesman said. Previously such warrants could only be used within a judge’s jurisdiction.
Warrant
Such a warrant was used out of an abundance of legal caution, the Justice Department official told reporters, adding that the Kelihos actions were similar to previous ones US authorities have taken to disrupt other botnets.
Victim computers were not infiltrated by the FBI but redirected to a computer controlled by law enforcement, often called a “sinkhole,” to cut off the connection between infected devices and the botnet operator, the official said.
With the Kelihos botnet, authorities say Levashov’s cluster of infected computers targeted Microsoft Windows users and operated undetected. The malware would search files known to contain usernames and passwords and send those back to the network’s mastermind, and would intercept realtime communications.
Authorities said they were able to derail the botnet in part because an infected computer secretly sends requests for further instructions back to the network’s operator. The FBI said it essentially rerouted those requests to an FBI-controlled substitute server and blocked the botnet’s efforts to regain control of the infected computers.
Investigators were able to disrupt the network because of new changes to federal rules that allow a judge to issue one warrant for computers or devices in multiple districts at once. Lawmakers late last year were concerned the rule change would make it too easy for the government to hack into computers during investigations. The Kelihos investigation was similar to past takedowns of botnets and investigators sought such a warrant as a precaution, a Justice Department official said Monday, speaking to reporters on condition of anonymity in order to discuss the ongoing case.
The work in the Kelihos case was a “disruption technique” and not a way for investigators to search the hard drives of personal computers, the official said, adding that investigators’ efforts are showing early signs of success in disrupting the botnet.
Levashov himself couldn’t immediately be reached for comment, and officials did not say whether he had a lawyer.
Vasily Nioradze, a spokesman for the Russian Embassy in Madrid, confirmed the arrest, but wouldn’t say whether Levashov was a programmer. Nioradze wouldn’t comment on reports of a US extradition order. “As it is routine in these cases, we offer consular support to our citizen,” he said.