The Justice Department on Monday announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software.

“The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks.   The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.

Kelihos is designed to operate automatically and undetected on victims’ computers, with the malicious code secretly sending requests for instructions to the botnet operator.

Kelihos malware targeted computers running the Microsoft Windows operating system. Infected computers became part of a network of compromised computers known as a botnet and were controlled remotely through a decentralized command and control system.

The Kelihos malware harvested user credentials by searching infected computers for usernames and passwords and by intercepting network traffic. The Kelihos botnet generated and distributed enormous volumes of unsolicited spam e-mails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price (so-called “pump-and-dump” stock fraud schemes), work-at-home scams, and other frauds.  Kelihos was also responsible for directly installing additional malware onto victims’ computers, including ransomware and malware that intercepts users’ bank account passwords.

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure.  The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server.  This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers, the Justice Department stated.

According to the Justice Department, the efforts to disrupt and dismantle the Kelihos botnet were led by the FBI’s Anchorage Office and New Haven Office; Senior Counsel Ethan Arenson and Harold Chun, and Trial Attorney Frank Lin of the Computer Crime and Intellectual Property Section; and Assistant U.S. Attorneys Yvonne Lamoureux and Adam Alexander of the District of Alaska. Critical assistance was also provided by foreign partners, and invaluable technical assistance was provided by Crowd Strike and The Shadow server Foundation in executing this operation.