Botnet sending millions of fake drug emails dismantled

The US is bringing down a colossal botnet responsible for distributing hundreds of millions of fraudulent emails advertising counterfeit drugs and installing ransomware.

The action comes after the arrest of Russian Pyotr Yuryevich Levashov in Spain last week, who allegedly operated the botnet since 2010.

Reports claimed he may also be linked to the alleged hacking of the US election by Russia but the US Justice Department has reportedly denied this.

The botnet in question is dubbed the Kelihos botnet, which involves a global network of potentially 100,000 compromised computers that has distributed hundreds of millions of spam emails, intercepted details of financial accounts and installed malicious software.

"The ability of botnets like Kelihos to be weaponised quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," Kenneth Blanco, acting assistant attorney general of the US Justice Department's criminal division, said in a statement.

Cybercrime is a global problem, acting US attorney Bryan Schroder for the District of Alaska, said in a statement. "Protecting the American people from such a worldwide threat requires a broad-reaching response, and the dismantling of the Kelihos botnet was such an operation."

Computers at risk of being infected with the Kelihos malware, and joining the network (or botnet) of compromised computers, were those running the Microsoft Windows operating system.

The infected network was then controlled remotely through a decentralised command and control system where the botnet communicated stealthily with the botnet operator with requests for instructions.

The botnet, which operated automatically and covertly, generated and distributed large volumes of unsolicited spam emails advertising counterfeit drugs, deceptively promoting stocks in order to fraudulently increase their price (known as "pump and dump" stock fraud schemes), work-at-home scams, and other frauds.

The botnet also harvested user credentials by searching infected computers for usernames and passwords and by intercepting network traffic, and was also responsible for installing additional malware onto victims' computers, including ransomware and malware that intercepts bank details.

The US Government started the task of dismantling Kelihos on 8 April by blocking malicious domains associated with the botnet to prevent other infections. Civil and criminal court orders, obtained in the District of Alaska, were required, as well as a warrant.

These authorised measures to neutralise the botnet by establishing substitute servers to receive the automated requests for instructions thereby ending communication with the operator, and blocking any commands sent from the operator to attempt to regain control of the infected computers.

The substitute server will also record the IP addresses of victims and service providers will be notified to remove the malware.

Levashov was described by the government as "one of the world's most notorious criminal spammers" having also previously been charged for operating Kelihos' predecessor the Storm botnet. His arrest in Barcelona was a joint US-Spanish effort.

It is understood the US will seek Levashov's extradition.