ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Peter Severa / Peter Levashov

Evidence Menu:

Peter Severa / Peter Levashov Index


Country: Russian Federation
State:
A professional spammer who writes and sells virus-spamming spamware and botnet access. Is probably involved in the writing and releasing of viruses & trojans. One of the longest operating criminal spam-lords on the internet. Works with many other Eastern Euro and US based botnet spammers. Was a partner of American spammer Alan Ralsky.


Peter Severa / Peter Levashov SBL Listings History
Current SBL Listings
Archived SBL Listings

MEDIA: Spammer’s Arrest Puts End to Kelihos Botnet


https://threatpost.com/spammers-arrest-puts-end-to-kelihos-botnet/124910/

by Michael Mimoso April 11, 2017 , 1:43 pm

The alleged Russian botmaster behind the Kelihos botnet was arrested while on vacation in Spain, putting an end to a seven-year cybercrime operation that foisted hundreds of millions of spam messages on consumers, as well as a dangerous array of banking malware and ransomware.

Pyotr Levashov, also known as Peter Severa and a handful of other aliases, was arrested on Sunday by authorities in Barcelona. The U.S. Department of Justice yesterday released a statement acknowledging international cooperation between U.S. and foreign authorities, as well as the Shadow Server Foundation and Crowdstrike, in making the arrest and seizing infrastructure used to support Kelihos and Levashov’s operations.

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.

Kelihos surfaced in 2010 after the takedown of the Storm botnet. For years, it had targeted Windows machines with nonstop spam pushing counterfeit drugs, pump-and-dump stock scams and other fraudulent schemes. It was also proficient is spreading banking malware such as Vawtrak and Kronos, and a number of different ransomware families.

The DoJ said it obtained a Rule 41 warrant to facilitate the Kelihos takedown.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”

The DoJ said it began blocking Kelihos domains on Saturday, less than 24 hours before Levashov’s arrest.

Levashov, of St. Petersburg, is No. 7 of Spamhaus’ list of the worst spammers, and is alleged to have been partners with American spammer Alan Ralsky.

Kelihos has survived a number of past takedowns, including a live sinkholing of thousands of bots that happened during the 2013 RSA Conference conducted by former Kaspersky Lab researcher Tillmann Werner. Werner and Stefan Ortloff had previously been part of previous Kelihos shutdowns in 2011 and 2012 and published a post-mortem on the shutdowns in 2013 that showed a steady downturn in new Kelihos bots.

The botnet resurfaced time and time again and spread malware that harvested credentials from infected computers, including usernames and passwords for online banking accounts.

The DoJ said it obtained civil and criminal court orders from the District of Alaska that granted authorities permission to redirect command and control requests from bots to servers controlled by law enforcement. They were also entitled to block any commands sent by the botmaster in attempt to regain control of his network and bots.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK12092/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2017 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy