A Modification of Kelihos Looks for Passwords Stored in Internet Browsers

We discovered a new modification of the Kelihos backdoor dated March, 4 2013 (MD5:80bb0a4c115ca5309baaf4c85017869), which is still in operation after the much publicized botnet shut down at RSA Conference. The new modification is able to steal passwords from Internet browsers.

The compilation date of the unpacked backdoor body is March, 4 2013.

However the compilation date in the packed file’s header is September, 10 2010.

Password Stealer

Now the backdoor additionally searches for credentials of the following applications:

WISE FTP
IE
Mozilla Firefox
Chrome
Chromium
Bromium
Nichrome
RockMelt
Comodo
ChromePlus
browser.yandex
LeechFTP
Odin
WinFTP
FTPGetter
Estsoft\ALFTP
Staff
Blaze
NetFile
GoFTP
3D-FTP
EasyFTP
XFTP
BlazeFTP
SiteDesigner
Whisper Technology\FTP Surfer
VanDyke\SecureFX
Fling
NetDrive
FTP Explorer
FTPRush
UltraFXP
AceBIT
Flock\Browser
FTP-Now

This version uses SQLite for reading user login and passwords from signons.sqlite in Mozilla Firefox:

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

It also searches for “Login Data” and “Web Data” in Chrome Browser folder.

Spam-Bot

Once a connection with a C&C server has been established the bot can receive commands to send spam. Example of spam message sent by a bot:

Our malware analysis system registered the backdoor using 944 public mail servers to send spam:

d3294a.ess.barracudanetworks.com ap03.ey.com smtp-in.voila.fr certifiedmail.com.s7a1.psmtp.com relay.verizon.net mx01.freechal.com adxironvtr.vtr.com fkiller11w.nhncorp.com osumc.edu.s9a1.psmtp.com inbox.xacti.com asav.minorisa.net mail.mcapital.ru homsonline.com mail.nust.edu.pk mailmx.csav.com mx9.hanmail.net da17.state.co.us.inbound10.mxlogic.net mail2a.smtproutes.org mx3.mpunkt.pl enepmx01.amsterdam.nl vmail.dial-up.net mx1.sbi-life.com server504.appriver.com ls.roksa.ru mxlb.ispgateway.de struppi.schmut.com usmx02.thermofisher.com smtp.ins.dell.com mail.mailwatch.com mailin4.rmx.de ukmx05.thermofisher.com lx3.discar.com horticom.com.au frascmrext01.sanofi-aventis.com mx08-00096701.pphosted.com cust4592-1.in.mailcontrol.com mx-tmp.wmich.edu smtp1d.netintelligence.com mta7.am0.yahoodns.net ihemail4.lucent.com galatiyachts.com.inbound10.mxlogic.net server01.buffalo-technology.ie mail.axels.hu mx3.excite.mail2world.com mx.arcor.de mail.beesons.com mail10.mimecast.co.za mx.poczta.onet.pl mx00.kundenserver.de unimeds.com.br.e0045.g0009.sg0089.im.emailsecurity.trendmicro.com gbpmail1.gbp.com mx1.nradio.ru service87-us.mimecast.com omicron.lobocom.es mail.theofinance.com mxx.nf.jinr.ru swlxmx1.swmed.edu mail.busynet.net mx.cinecittasavigliano.it service77-us.mimecast.com mx.noos.fr 126mx02.mxmail.netease.com tccappsrv03.campaign.net.au mx-apac.mail.gm0.yahoodns.net mail.trubapelratu.com mail.ecommerce.ofiexperts.es mx.tv-naruto.home.ne.jp hrndva-postmx01.mail.rr.com mx2.efwmx.net relay102.sify.net wwnorton.com.mail9.psmtp.com dc-b69906a2.chia-anime.tv mail.joncoe.com equityoffice.com.s7a1.psmtp.com smtp01.vente-privee.com cluster1.eu.messagelabs.com mx.dnsassurance.com imx1.rambler.ru mailgate3.vw.com barracuda.wallacestate.edu mx.interia.pl ismtp.copper.everyone.net c7-ip02.zynga.com webmail.ccs.ca mail.sfz-net.de mailhost.cnchost.com mxa-000cb501.gslb.pphosted.com cust-mx1.pool.cisdata.net carlisleny.com.s9a1.psmtp.com hkmta11.foresttek.com tycoint.com.inbound10.mxlogic.net mentormail.xap.com smtp-in.orange.fr mailtest.serving-sys.com mailgw.midasplayer.com mail.kingcity.com mailhost.walkergreenbank.com svip03.mss.ttni.com.sg mail.saturn.tj mail.mczone.ru mfgw2.ocn.ad.jp barracuda.undertone.com mulgara.westnet.com.au msa-smtp-mx1.hinet.net mx02.zf.com mx01.schlund.de amx.ning.com mx1.optonline.com mx04.mx-server.net mx.wp.pl posta.bbbell.it theofinance.co.id mailgate1.mms.primerica.com mail71.safesecureweb.com gmsk-mx3.centrum.cz mx.terra.es mail-in.freeserve.com mx.nynex.de mail2.arabcircle.net.sa mail2.saint-gobain.com smtp-in1.nuvox.net mx.murphx.net alloy.com.inbound10.mxlogicmx.net mx3.yandex.ru kpmg.co.uk.s200a1.psmtp.com mx.east.cox.net mail.opm.state.ok.us mailsedltc04.sedgwick.com mailvask.infostorm.no s8a1.psmtp.com smtp1.sfr.com mx-ra.dreamwiz.com mail.active-dns.com mail.obliquid.it mx2.hotmail.com mx.yandex.ru 707341637.mail.outlook.com mail-p.hkex.com.hk mail.activeplan.co.uk mx1.hotmail.com mail1.raxco.com bham-mx6.bham.ac.uk hfdmailin01.thehartford.com mx1.ch.nl mailpro.ureach.com engine01-30051-1.icritical.com mail.ankara.de mx2.comcast.net mx6.pacific.net.sg mxb-000cb501.gslb.pphosted.com cluster8.eu.messagelabs.com rainbow.transtec.de smtp.fnbhutch.com mx3.hanmail.net flunder.stroehmer.de spamfw2.health.gov.sk.ca mail.burrisracing.com imail-04.ucop.edu mx0.securestudies.com mail.industrialmachines.net mail.activemoney.com.au mx.ptmail.sapo.pt inbound.jj-arch.com.netsolmail.net mail.twlakes.net imsmx1.netvigator.com mail-in.daimler.com mailgw1.court.gov.ua barracuda.cybersharks.net alt2.aspmx.l.google.com bwx.pertamina.com mail.questionmarket.com ge.com.s5b2.psmtp.com mail.oakcreek.k12.wi.us smtp4.prodigy.net.mx mx1.umich.edu mailserver.amvc.co.uk 1183884560.mail.outlook.com cust635-1.in.mailcontrol.com mail11.yrbrands.com bennrye.com mail-wal.onecommunications.com wurmloch.darktech.org grid1i-ent.seg.att.com mx1.crox.com kylephillips.com.inbound10.mxlogic.net cuda.tcworks.net mailhost.cg92.fr microsoft-com.mail.protection.outlook.com incoming1.louisville.edu mail1.northgrum.com smsclean.com.s8a1.psmtp.com mail.blackbroswhitesluts.com antispam01.timeforit.se smtp-in.getresponse.com andrew-mx-05.andrew.cmu.edu mail01.hoster.by mail.netsearch.org filter2.bttb.net.bd mail2.pdx.ne.jp mail.edreams.es mail1.rox.net rovergolf.com mcy56.ru lsean.ezweb.ne.jp smtp1.gemalto.com smtp1.us.imshealth.com mx-ha02.web.de mail.arkanda.net relay1.vfsibintek.ru mail.vfv.com.vn mx01.qatar.net.qa mail.bellaonline.com d25013a.ess.barracudanetworks.com mx.berkeley.edu britinfo.net mg2.thaimail.com relay.multisklad.ru xbust.com mx.inter.net.il filter.lach.net msk.master-net.ru cml.jimaz.cz mx8.hanmail.net cust11998-1.in.mailcontrol.com mx.syd.iprimus.com.au smtp2.azet.sk mx00.schlund.de relay3.chuvsu.ru mx00.gmx.com trustport.bvv.cz mail.turck-globe.de mx03.marambaia.com.br mx.amal.se mx.linkdatacenter.net mx.infinito.it mail-in-excite.roc2.bluetie.com bankofdeerfield.com.s5a1.psmtp.com pbdlog.co.za.s200a1.psmtp.com mxtor1.cyberplex.com eforward2.registrar-servers.com qatar-bp.com mail.gmaih.com fldsmtpe03.verizon.com camino.interway.ch mgw1.siriusfs.com mx1.yesconnect.net cluster9.us.messagelabs.com mail.postown.net mail.egp.hu mx.assist2selldtc.com as-av.iinet.net.au h-mx2.soltecsis.com mailwash26.pair.com extranet.contactdesigns.com mx-eu.mail.am0.yahoodns.net smtp1.shinestar.es smtp.uc3m.es mail.denyo-generator.ru mail.ankarad.com renegurl.com dsp4xmail.bestbuy.com mx1.businessmicrovar.com mx2.optonline.com cluster3.eu.messagelabs.com mx0.gmx.com mxa-00131701.gslb.pphosted.com mx1.univ-lille3.fr mx.c3technology.com mx.corpease.net officedepot.com.s10a1.psmtp.com mail.global.sprint.com mail.amarilloedc.org mx-cluster-d2.one.com mail.arkin.nl hayes-lemmerz.com.s7a1.psmtp.com dbnj-com.mail.eo.outlook.com mx.la.playboy.com mail.global.frontbridge.com chiaka.com cleese.cent.gla.ac.uk aragorn.geniusweb.com mx.rosneft.ru meritmail-mx1.merit.edu scanner2.smtpscan.com mx5.umu.se mail.bluetie.com et.jmu.edu mx.ono.com gateway-f2.isp.att.net mail.mail.rss.rogers.com aavmail4.emirates.net.ae cust15206-1.out.mailcontrol.com relay1.ryazan.su e2.ny.us.ibm.com mx8.go2.pl eddi.ru smtpizmit.bimsa.com.tr ib1.charter.net mail.relay21.ocs.co.uk mx1soho25.carrierzone.com mx5.zonnet.nl smtp.hosting.tp.pl mail.cory.co.uk inbound.holycomforter-clt.org.netsolmail.net pmx5.novani.com servdca.ctrl.cinvestav.mx mail-r.hw.ac.uk aserp1060.oracle.com aspmx5.googlemail.com mail.keybank.com mail1.mxsweep.com mail.aviacons.ru sf.mail.m-10.ru mx.rigelnetworks.com jlinet.com chicago-mx.navteq.com modni-teatr.com.ua mail.hartmann-enterprises.de mailmarshal.carsoup.com mail.808surfer.com mail10.enterprisenet.org amfor.org.s7a1.psmtp.com flexiblelifeline.com.s7a1.psmtp.com mailgw.glocalnet.net 1962585853.mail.outlook.com lafarge-na.com.s200a1.psmtp.com mail.nf.jinr.ru ankaradans.com.tr internode.cyberpro.com.au correo.urende.es fitnessandwellness.com.s5a1.psmtp.com coe-florida.com liberomx1.libero.it mailin.rzone.de mx2.onyx.net l2ms.rz.uni-kiel.de mx01.t-online.de mx.cinelandia.it mail.chiangkongonline.com mail.rslcom.net.au mail.eqtracking.com mxa-00003501.gslb.pphosted.com a.mx.planet-service.fr mail.ribloc.com.au mail2.ville.levis.qc.ca ironport.ucc.vcu.edu edumg01.edumail.vic.gov.au mx2.exempla.org mail.ipnxtelecoms.com mgw2.lol.ba mail.messaging.microsoft.com kingdomlife.com mail.activelc.com.au mail.kingbrightusa.com mxtls.expurgate.net mx2.sub5.homie.mail.dreamhost.com mx.puc.cl mailscan4.alj.com tc3.walla.com fw.kardio.hu mwall.cyberone.com.au mail.clarkson.edu mx.qip.ru mail.partyvibe.com mail.ultra-chemicals.com mx1.vr-web.de cluster2.us.messagelabs.com smtpgw1.gov.on.ca mx.flexmail.ifxnetworks.com mx3.spray.mail2world.com mx.facket.org retail-smtp-in.amazon.com mail.aspenreynolds.com cdptpa-smtpin01.mail.rr.com ff-mx-vip1b.prodigy.net ex10es03.ad.uky.edu liberomx4.libero.it mail.bsb.com.pl mx.clear.net.nz mx2.sbcglobal.am0.yahoodns.net mc2school.org chetanasforum.com listonosz.pwsztar.edu.pl mail.carparts.com.hk mail.avtodom.ru mailserver.activelook.co.uk vhost2.podolsk.ru itrain1.cleanmail.ch mail.namo.co.kr relaismail.minefi.gouv.fr mail3.absolutist.com gatewaypony01.qualcomm.com mx.springnet1.com.cust.hostedemail.com mck-m.ru mx.cncm.ne.jp mx.odn.ne.jp mx.purederm.eu imrcd.parcel-airstreamcomm.net mail.sdadim.ru mx-us-hou-4.bmc.com smtpgate.wvnet.at hashoogroup.biz mx0.gmx.net mail.modnie-pricheski.ru mail.c2.hu mail.sector-recruitment.co.uk hoemail1.alcatel.com mx3.intermax.nl mailno.chsco-ops.com smtp1-v.sgp.bosch.com zinc-main.gartner.com relay.uco.es smtp.chello.pl mxa-0013cc01.gslb.pphosted.com rubiconproject.com.1.arsmtp.com lakes.org spambuster.epsb.net mail.pracowniareklamy.pl mail.bhs.org.au mx4.go2.pl smtp.novisnet.pt fw2a.assist247.co.za chimera.bms.com eaglebridges.com mx10.assetanet.com.br mx.191.biz mx-vh.clara.net mailhost1.scout.com xamsa.pair.com mx.online.no mx-in.simnetpro.is kr-mail.tesco.com mx.zgtk.net mail1.mbd.man.de inbound.sevenbroadcast.com.netsolmail.net garygreene.com.mx1.garygreene.rcimx.net mx2.wellsfargo.com mail.gcronline.com nosferatu.impsat.net.ec mx.sunrisebus.com mail.yakity.com ex1.oregonstate.edu slon.aspol.ru 1918966857.mail.outlook.com mx1c38.carrierzone.com relay6.manh.com bldmailin01.thehartford.com mail34.safesecureweb.com mx1.richter.hu espn.mailsec2.batblue.net bowne.com.s9a1.psmtp.com fmx.freemail.hu cluster6.netcore.co.in mx.freenet.de mx1.pangia.biz data.ebay.com idcmail.shaw.ca mail.modnica-ekb.ru edge2008.fh-eberswalde.de mx2.deloittecn.iphmx.com mail.tcnet.ru mxs.lexis-numerique.fr inbound.zipcon.net barracuda.bristolcc.edu ankaradamantolama.com sudnp798.qwest.com poczta.dalmor.pl cust20748-2.in.mailcontrol.com eforwardct.name-services.com mail.wlux.pl mx3.mindspring.com smtp.secureserver.net mx18.aha.ru cheviot51.ncl.ac.uk mx.mxm-5.ru coeexchsrv.coe.berkeley.edu mailve7.generale-des-eaux.net ankaradakoltukyikama.com mx4.hotmail.com smtp1.rbsgc.com schauscpa.com.s6a1.psmtp.com mx1.biz.mail.yahoo.com mailin-04.mx.aol.com mx04.highstream.net mail.69designs.com smtpin.mx.webtv.net mymail.bright.net clementsretail.com.pri-mx.uk0106.smtproutes.com mxb-000e8101.gslb.pphosted.com mx1.lsg-rentray.nl mx1.huawei.com mail.modnitca.ru mailin-03.mx.aol.com shrams.com mail.chesterfield.k12.sc.us mail.smwautoblok.it smtp1.eaglepicher.com segalian.com.s9a1.psmtp.com mx3.religare.in artelco.com.mx1.artelco.rcimx.net mail.gigegeo.com mail.vgdistrict.com mail2.sgk.gov.tr mx.maido3.com mx10.aeroclub.ru mx-bt.mail.am0.yahoodns.net nullmx.domainmanager.com mx01.gmx.net norse.parexel.com villagevoicemedia.com.s5a1.psmtp.com osb.net.mx.o1.com mx3.bol.com.br mx1.rog.mail.yahoo.com service93.mimecast.com mail1.americantower.com hephaistos.siemens.com mbay6.mx.proofpoint.com vip-smtp.esa.gmessaging.net a.mx.lunender.com.br mail.mynet.com mail.kylehuntpartners.com post1.cox.com pomeroyinv.com.inbound15.mxlogic.net mx1.avecoh.com smtp-telenet.telenet-ops.be mail.gti.net smtp.uta.edu mail.bwee.com mail1.surewest.com mx.808skate.com bertelsonop.com.mx1.popp.rcimx.net mailin-02.mx.aol.com mx.futurequest.net server1.inboundmx.com aspmx.l.google.com ge.com.s5a1.psmtp.com mail.ankaradefter.com.tr mail1.kp.org mx3.qwest.net e.mx.portugalmail.pt mxpool01.netaddress.usa.net mx.hanafos.com apollo.asseco.pl mx1.mail.tw.yahoo.com mail.activemail.com.au epdmail.engr.wisc.edu service64-us.mimecast.com smtp.vente-privee.com mx3.hotmail.com lgesmtp.lge.com mx1.r01.ru mxa-00128607.gslb.pphosted.com mx-caprica.easydns.com mail-server.energosila.ru smtp0.kyol.net mx.ya.com copie.kghm.pl mx1.mts-nn.ru cluster4.us.messagelabs.com mxa-00158b01.gslb.pphosted.com edumg03.edumail.vic.gov.au mail.jeffware.com cluster-e.mailcontrol.com mail.henrikskotth.se 163mx03.mxmail.netease.com ankaradayim.com mx1.wolterskluwer.iphmx.com mailer.malawi.net svn.com.s6a1.psmtp.com munro.pi.net.pl mail.assnmgmt.com nospam.rockford.edu ex.ret.ru mx.hughes.net.cust.b.hostedemail.com pracom-com.mail.eo.outlook.com msa-smtp-mx2.hinet.net cluster8.us.messagelabs.com zig.proactivelabs.ie bellaonline.com.pri-mx.smtproutes.com mhost04h.leeds.ac.uk yorkhunter.com smtp.zwolle.nl mx.speakeasy.net mx00.1and1.com mta.actrix.co.nz mx1.nate.com vmx.perrymoran.com.redcondor.net mx1.edoxs1.iphmx.com mx.netidentity.com.cust.hostedemail.com mailgw.acfw.net mail1.osi-systems.com gwg2.polyu.edu.hk mx2.optonline.net mailhost02.okstate.edu in1-smtp.messagingengine.com hrndva-smtpin01.mail.rr.com mail.hoststock.com practicelink-com.mail.eo.outlook.com mail.uniparthenope.it sihle.com.s7a1.psmtp.com mx4.cyber.net.pk mail.indigomusic.co.uk mail11.corpmailsvcs.com mail.altinv.com bernardmgross.com.mx1.netcarrier.rcimx.net kbmgw01.zaq.ne.jp mx01.1and1.co.uk mail.ankaradc.com mail.2.cx mx.t-online.hu mxb-000c7201.gslb.pphosted.com mail.mailasp.com.tw lipochemicals.com.s7a1.psmtp.com smtp.pcmall.com mx1.norcom.ru mx1.chariot.com.au mxs.mail.ru mail.s329-1.charter-business.net koshi.ntc.net.np nb-mx-vip1b.prodigy.net gci-net.com.mx1.dakotacom.rcimx.net clydebergemann.com.inbound15.mxlogic.net ismx.graybar.com cluster4.eu.messagelabs.com bh.markmonitor.com mx.evc.net 1553695869.mail.outlook.com cluster.relay.agava.net mailsedltc04.sedgwickcms.com marathonguide.com.inbound10.mxlogic.net securian.com.s5a1.psmtp.com relay1.koenig.su turing2.stanford.edu virtual-smtp-prod01.osg.ufl.edu ex10es01.ad.uky.edu smtp.lisgroup.net mail03.rbs.com mail9.hsphere.cc smtpgw.turk.net dutmail.tudelft.nl mail.emaila.nu mx.west.cox.net mx1.ocps.net.gslb.pphosted.com mailin-01.mx.aol.com mx2.naver.com mx.mailanyone.net mx1.yandex.ru pop.ckmarketing.de mx.usa.net mail.ipl-plastics.com mx01.wow.synacor.com uscimgate004.ugs.com iscgrp.com.inbound15.mxlogic.net mail.eslha.org mx3.alles.or.jp cluster1.sa.messagelabs.com dial-148-240-4-32.zone-1.ip.dial.net.mx twspam01.chialin.com.tw holrob.com.inbound15.mxlogic.net cluster5.us.messagelabs.com relay.nursat.net mx5.go2.pl netfilter.managedsvcs.com mail.hamrahomes.com.au mx.lycos.com.cust.b.hostedemail.com kulle.pair.com auracom.net.s6a1.psmtp.com elrio.org.inbound15.mxlogic.net mx24.aha.ru mail1.cleanport.com mailsrv.jival.com.tr barracuda.spcollege.edu mx2.yesconnect.net smtp0.vflyer.com wmspam.wooriwm.com mail.brightroll.com greaterlouisville.com.inbound15.mxlogic.net mail.transfer-net.ru animatix.us myexcel.com.s6a1.psmtp.com mx1.emailsrvr.com mail1.haier.com gmail-smtp-in.l.google.com mail.businessprofil.ru mailserver.simplysonos.co.uk 1036058547.mail.outlook.com mx5.bluecoffeefilter.com mail2.optusnet.com.au mail.deltamar.net mx1.ovh.net lu-nt-mail31.bce.lu atlantadental.com.1.arsmtp.com orpheus.amdahl.com mail.chinalinkstravel.co.uk mail3.transneft.ru schweser.com.s8a1.psmtp.com mail.daffre.com mail.samafitro.co.id outmail5.scs-net.org mx25.valuehost.ru swlxmx2.swmed.edu usa7109mr.acs-inc.com mail2.eu.navy.mil netnews.hinet.net mxb-0011e101.gslb.pphosted.com mail1.expro.pl mail-1.omnitel.it alt1.aspmx.l.google.com mx1.fulda.de mx1.hosting-agency.net mx.lycos.de.cust.b.hostedemail.com azevedosette-com-br.mail.eo.outlook.com mx1.ankaradakirdugun.com mail.gapgroup.com mail.rollerclub.ru mx-a.mf.surf.net edge1.thedrg.com telfortmailin.kpnxchange.com mail.aisglass.com mail.rivals.com mx1.sbc.mail.yahoo.com mail.rostelecom.ru smtp.kiss.com sitemail.everyone.net people.pl mail2.activeplan.co.uk mail2.ica.se scc-mailrelay.att.net mx.suddenlink.net btconnect-com.mail.eo.outlook.com szfw2.mol.hu mx2.roskafel.ru castor.igrin.co.nz ncluster.istc.ru rocjfspps03.suth.com smtp.mustelids.ca mailsmtp3.childrenshospital.org devnull.mabi.de mx.smtp.ucla.edu mx5.mail.yahoo.co.jp mx1.securestudies.com mta01.hcm.fpt.vn hermes.pib.com.br mail2.tce.com mahpa.com mx-ha03.web.de mx1.bne.server-mail.com aln-mailrelay.att.net mail.britfilmusa.com mx2.csof.net resscmrext03.sanofi-aventis.com post3.cox.com mxa.expurgate.de ismtp.assist2sell.everyone.net mxa-00110801.gslb.pphosted.com mx.avasin.plus.net geoprogram.pl mail2.sonae.com email.vcu.com mail1.sdm.unlv.edu mxb-00121101.gslb.pphosted.com mailhub.appstate.edu r-smtp4.korea.com new-generation.ru diamondv.com.inbound10.mxlogicmx.net mail.arcor-ip.de gateway-f1.isp.att.net phlyins.com.mail1.psmtp.com 982722360.pamx1.hotmail.com mail.nhs.uk mail25.webcontrolcenter.com coilplus.com.s7a1.psmtp.com mail1.icetrade.by mail.janho.com asp.reflexion.net thegolfcluboftn.com.inbound15.mxlogicmx.net mxmta.sympatico.ca usfmercury4.usfood.com chl-mailsec-003.state.ma.us mx6.hanmail.net braunconsult.com.s6a1.psmtp.com deed-mx1.isprime.com freemx.sinamail.sina.com.cn proxymail1.sion.com mail.quickhandy.de webmail.mailmonstruo.com mail.findflat.ru smtp1.nascar.com mailgate.globalvision.net 6daydental-com.mail.eo.outlook.com mail.ankaradawebtasarimi.net rg.mc.surewest.net mail.oldfarts-youngtarts.net smtp5.truebeginnings.com dom05.muc.domeus.com mx.isp-inter.net smtp.equifax.com aspol.com.pl mx3.earthlink.net mx.dca.untd.com et1.zero.ou.edu mx1.rgs.ru mail.us.messaging.microsoft.com smtp02.vente-privee.com mx1.sub5.homie.mail.dreamhost.com server48.appriver.com fpo.mail.dk mail.bpn.pt bestfriends.org.s10a1.psmtp.com mx2.cims.nyu.edu mailin.snafu.de maila21.webcontrolcenter.com mx1.mailhostbox.com mx.fatal.ru wg2oaspam.hannspree.com kylepetty.net mail.bemail.com mx.quartz.synacor.com nullmx.nighttrack.com mail.skanska.co.uk mfilter-102-1-1.mx.srv.dfn.de mf-lbn1.bisping.de smtpin.ptd.net mx2004.mx2.got.net mx01.regeneron.com 624429911.mail.outlook.com liberomx2.libero.it mailin.hetnet.nl adams.dealerspike.com mail3.futurereliance.co.uk ipmailmx.internode.on.net mail29.indamail.hu mxgb1.opaltelecom.net mail34.ezot.com mail3.runa.ru mx1.staff.ednet.ns.ca mail.abatech.com mx.oversee.net mta5.am0.yahoodns.net uspalmsg01.epri.com mec.mx.esu.k12.oh.us mx.rediffmail.rediff.akadns.net poczta.anonse.pl spamtitan.auld-white.com mail.ci.medford.or.us mail.wnco.com mailhost.osekk.fi mail01.edicioneselpais.net p.nsm.ctmail.com mail.reklamy.ru mail.litas.ru mail.rogc.com ima.cta.cq.cn mx04.peoplepc.com designscape.co.nz us-irone2.panamsat.com mx2.earthlink.net mx01.gmx.com mx2.webstyle.ru mx61.emailfiltering.com am03.ey.com mail.anteldata.net.uy mx.selfip.biz oxmail1.registrar-servers.com mx.assistfinancial.com cluster1.ap.messagelabs.com pmx.abv.bg ns.800mhz.com mx2.rowan.edu mx1.comcast.net mail-in-iwon.roc2.bluetie.com mta6.am0.yahoodns.net hknpx5.hknet.com moodyins.com.1.arsmtp.com inbound.microstarpa.com.netsolmail.net 810152616.mail.outlook.com mx1.home.com cluster5.eu.messagelabs.com sniper.tym.co.kr fldsmtpe04.verizon.com mail6.dotw.com wellsphere-com.mail.eo.outlook.com mail.2wglobal.com gwsmtp010.ril.com exedge.cco.com cdphp.com.inbound10.mxlogic.net smtp.europe.secureserver.net mail.practicemgt.com mail.ankaradasurucukursu.com orkla.com.s200a1.psmtp.com mail.beetnik.com mail.modnica.com mx1.spray.mail2world.com mx3.lbk.simasfinance.co.id extmail.bigpond.com integralcare.com.ar mail.dcube-resource.be smtp4.laposte.net mx2.activeby.net pmail02.walterservices.com mail1.vosahp.com.vn custmx.cscdns.net mx3.mail.yahoo.co.jp melnibone.mindvox.com mail.baptiststandard.com mx-v.av-mx.com mail.hosting365.ie mail.turck-halver.de inbound.illumeonline.com.netsolmail.net mailsmtp1.childrenshospital.org smtp1-msp.delta.com mx3.mail.uk.easynet.net mx.scottcoopermusic.com.cust.b.hostedemail.com vulcano.ulbra.br mail21d.exxonmobil.com asav2.sungaibudi.com smtp.infobox.ru in.mx.skynet.be mx01.1and1.com imx6.ngs.ru ge.com.s5b1.psmtp.com relay.lums.edu.pk servercip92.e-technik.uni-rostock.de gcinc-com.mail.eo.outlook.com mx.kontent.com suomp63i.qwest.com nova-backup.studiocoast.com.au mx.videotron.ca mail.kylepalmermd.com mx.jamesdobbs.com mx-ironport.core.plus.net mx-cluster.idc2.mandic.com.br mx.spamexperts.com relay.oregonstate.edu filt1.ctiw.com mail2.betapress.ru iserv.nf.jinr.ru mx2.pado.com.br mx1.dhl.iphmx.com motors-kursk.ru mx1.botb8.com spam.newfrontierssolutions.com e.mx.talkmatch.com mfgw3.ocn.ad.jp

You can find more information about Kelihos Botnet in the recently published Lavasoft's report.