(Adds comment from CrowdStrike, technical details)
By Dustin Volz and Joseph Menn
WASHINGTON, April 10 The U.S. Justice Department
said on Monday it had launched an effort to take down the
Kelihos botnet, a global network of tens of thousands of
infected computers it claims was operated by a Russian national
who was arrested in Spain over the weekend.
Peter Yuryevich Levashov operated the Kelihos botnet that
infected computers running Microsoft Corp's Windows
operating system since approximately 2010, the Justice
Department said.
A criminal case against Levashov by the Justice Department
remains under seal, but on Monday the department announced a
civil complaint intended to block spam from the botnet.
Russian-state media service RT reported Levashov was taken
into custody in Spain over the weekend on a U.S. warrant.
It was not known if Levashov had an attorney. The Russian
Embassy in Washington was not immediately available for comment.
Levashov, who has long been considered the likely identity
of an online persona known as Peter Severa, spent years listed
as among the world's 10 most prolific computer spammers by
Spamhaus, a spam-tracking group.
RT quoted Levashov's wife as saying he was arrested on
charges stemming from the U.S. government's belief that Russia
interfered in last year's U.S. election to help President Donald
Trump win. Russia has denied interfering in the U.S. election.
A Justice Department official, who spoke to reporters on
condition of anonymity, said on Monday the current action
against the botnet was not related to the election.
The Kelihos botnet has been a source of criminal activity
targeting computer users worldwide since at least 2010, the
official said.
The botnet at times grew larger than 100,000 simultaneously
infected devices to carry out various spam attacks, including
pump-and-dump stock schemes, password thefts and injecting
various forms of malware, including ransomware, into target
devices, the official said. Botnets are often rented out for
multiple criminal uses as well.
In order to liberate the "victim" computers, the United
States obtained court orders to take measures to neutralize the
Kelihos botnet, including establishing substitute servers and
blocking commands sent from the botnet operator, the department
said.
Three previous versions of Kelihos had been taken down, but
each time it was able to grow back with improvements that made
it more resilient.
The biggest problem was that in the most recent iterations,
individual infected computers could update each other with new
code, so that just taking down the few command servers was
insufficient.
Law enforcement got technical help from private security
firm CrowdStrike Inc in analyzing the code as it evolved, and
analysts there discovered a flaw in the program's method for
distributing lists of other infected machines to contact.
"We were able to take over the propagation of that list, so
the malware-infected hosts were not able to get updates" from
each other, said Adam Meyers, Vice President of Intelligence at
CrowdStrike.
The Kelihos operation was the first targeting a botnet to
use a recent judicial rule change that allows the Federal Bureau
of Investigation to obtain a sole search warrant to remotely
access computers located in any jurisdiction, potentially even
overseas, a Justice Department spokesman said. Previously such
warrants could only be used within a judge's jurisdiction.
Such a warrant was used out of an abundance of legal
caution, the Justice Department official told reporters, adding
that the Kelihos actions were similar to previous ones U.S.
authorities have taken to disrupt other botnets.
Victim computers were not infiltrated by the FBI but
redirected to a computer controlled by law enforcement, often
called a "sinkhole," to cut off the connection between infected
devices and the botnet operator, the official said.
