U.S. targets spam botnet after Russian arrested in Spain

WASHINGTON (Reuters) - The U.S. Justice Department said on Monday it had launched an effort to take down the Kelihos botnet, a global network of tens of thousands of infected computers it claims was operated by a Russian national who was arrested in Spain over the weekend.

Peter Yuryevich Levashov operated the Kelihos botnet that infected computers running Microsoft Corp’s Windows operating system since approximately 2010, the Justice Department said.

A criminal case against Levashov by the Justice Department remains under seal, but on Monday the department announced a civil complaint intended to block spam from the botnet.

Russian-state media service RT reported Levashov was taken into custody in Spain over the weekend on a U.S. warrant.

It was not known if Levashov had an attorney. The Russian Embassy in Washington was not immediately available for comment.

Levashov, who has long been considered the likely identity of an online persona known as Peter Severa, spent years listed as among the world’s 10 most prolific computer spammers by Spamhaus, a spam-tracking group.

RT quoted Levashov’s wife as saying he was arrested on charges stemming from the U.S. government’s belief that Russia interfered in last year’s U.S. election to help President Donald Trump win. Russia has denied interfering in the U.S. election.

A Justice Department official, who spoke to reporters on condition of anonymity, said on Monday the current action against the botnet was not related to the election.

The Kelihos botnet has been a source of criminal activity targeting computer users worldwide since at least 2010, the official said.

The botnet at times grew larger than 100,000 simultaneously infected devices to carry out various spam attacks, including pump-and-dump stock schemes, password thefts and injecting various forms of malware, including ransomware, into target devices, the official said. Botnets are often rented out for multiple criminal uses as well.

In order to liberate the “victim” computers, the United States obtained court orders to take measures to neutralize the Kelihos botnet, including establishing substitute servers and blocking commands sent from the botnet operator, the department said.

Three previous versions of Kelihos had been taken down, but each time it was able to grow back with improvements that made it more resilient.

The biggest problem was that in the most recent iterations, individual infected computers could update each other with new code, so that just taking down the few command servers was insufficient.

Law enforcement got technical help from private security firm CrowdStrike Inc in analyzing the code as it evolved, and analysts there discovered a flaw in the program’s method for distributing lists of other infected machines to contact.

“We were able to take over the propagation of that list, so the malware-infected hosts were not able to get updates” from each other, said Adam Meyers, Vice President of Intelligence at CrowdStrike.

The Kelihos operation was the first targeting a botnet to use a recent judicial rule change that allows the Federal Bureau of Investigation to obtain a sole search warrant to remotely access computers located in any jurisdiction, potentially even overseas, a Justice Department spokesman said. Previously such warrants could only be used within a judge’s jurisdiction.

Such a warrant was used out of an abundance of legal caution, the Justice Department official told reporters, adding that the Kelihos actions were similar to previous ones U.S. authorities have taken to disrupt other botnets.

Victim computers were not infiltrated by the FBI but redirected to a computer controlled by law enforcement, often called a “sinkhole,” to cut off the connection between infected devices and the botnet operator, the official said.

Reporting by Dustin Volz, Joseph Menn and Eric Beech; editing by Lisa Shumaker and G Crosse