Feeds

Staggering Kelihos zombie army smacked down AGAIN

Resurrected spam-spewing network sinkholed by security bods

Using blade systems to cut costs and sharpen efficiencies

A resurrected incarnation of the infamous Kelihos botnet has been taken out.

The takedown operation – mounted by Kaspersky Lab's experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project – follows six months after the original spam-spewing and credential-stealing botnet was dismantled in September 2011.

The original takedown seemed to have only re-energised the cybercrooks involved in the creation of the original zombie network, who then used adapted strains of the original malware to create a botnet THREE times the size of the original monster, boasting a zombie army of 109,000 infected hosts.

By comparison the original Kelihos botnet, decapitated thanks to a collaboration between security experts at Kaspersky Lab and Microsoft, was estimated at having only 40,000 infected hosts.

Despite the commendable success of the latest Kelihos botnet decapitation exercise, the crooks behind the zombie network remain at large and might well try to resurrect the botnet once again, perhaps to even more devastating effect.

It's back ...

Kaspersky Lab researchers first warned in January that although the original botnet had been successfully neutralised and remained under control, a new zombie network based on similar malware had sprung up to take its place.

"Although the second botnet was new, the malware had been built using the same coding as the original Hlux/Kelihos botnet," a statement by Kaspersky Lab explains. "This malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the second botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets."

The second Kelihos (Hlux) botnet – which also featured significant changes in the communication protocol and new “features” like flash-drive infection – was disabled using a sinkholing operation that began last week.

Pwning our P2P pals

Both incarnations of Hlux/Kelihos were peer-to-peer (P2P) type botnets, which means every compromised machine on the network can act as a server and/or client. As such Kelihos was able to operate without central command and control (C&C) servers. To neutralise the more flexible P2P botnet, security experts first infiltrated the botnet with a network of machines under their control. These imposters then instructed infected hosts to look for instructions at a sinkhole under the control of security researchers, effectively rendering infected machines inert.

Over a short period, the sinkhole network increased its "popularity" in the network, which allowed more infected computers to be brought under Kaspersky Lab's control, while preventing the malicious bot-operators from accessing them. As more infected machines were neutralised, the P2P architecture caused the botnet’s infrastructure to "sink" as its strength weakened exponentially with each computer it lost control of.

A few hours after security researchers started the takedown operation, around 21 March, the bot-herders tried to take countermeasures by rolling out a new version of their bot. However these attempts seem to have largely failed.

The sinkholing operation succeeded and the botnet has been rendered inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts ran an audit to determine the geographical locations of compromised hosts. Kaspersky Lab has counted 109,000 infected IP addresses, the majority of which were located in either Poland or the US. Most (84 per cent) of the infected machines were running Windows XP.

The original Kelihos botnet takedown operation in September 2011 also involved a sinkholing operation. Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech to disable the original botnet. At that time, Kaspersky Labs executed a sinkhole operation, which disabled the botnet and its backup infrastructure from command and control servers.

More details on the latest Kelihos takedown operation can be found in a blog post by Kaspersky Labs here. ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.