Botnet Rises and Falls Again

Thursday, March 29, 2012 @ 12:03 PM gHale

For the second time in six months, researchers at Kaspersky Lab took down the newest iteration of the Kelihos botnet, also known as “Hlux.”

Microsoft and Kaspersky worked together in September, 2011, on the first Kelihos take-down. The bot then resurfaced in January only to be shut-down again this month by a combination of private firms including Kaspersky, Dell Secure Works and Crowd Strike Inc.

Microsoft Seizes Zeus Servers
Reprise for Kelihos Botnet
Smart Malware on Growth Curve
Malware has Bots Acting as C&C Server

Kelihos sends spam, carries out DDoS attacks, and steals online currency such as bitcoin wallets. It operates as a “peer-to-peer” bot network, which are more difficult to take down than those with centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at Crowd Strike.

Peer-to-peer botnets are distributed, self-organizing, and may have multiple command and control servers that disguise themselves as peers. In Kelihos’s case, there were three C&C servers and each had two unique IP addresses, he said.

Russian antivirus provider, Kaspersky, said it will “sinkhole” the botnet — taking control of the botnet’s command and control servers and prevent them from distributing any more malicious content. While the private firm does not have the legal authority to sanitize infected machines, Kaspersky will contact the Internet service providers (ISPs) whose customers suffer from infection, and hope they take action.

Despite their success, the re-emergence of Kelihos just months after being “taken down” in a similar, coordinated effort underscores the difficulty of wrangling global networks of infected computers. Werner and Kaspersky Lab colleague Marco Preuss warned Kelihos will emerge again.

Preuss and Werner believe the bot was able to resurface so quickly because it used a pay-per-install (PPI), meaning, the operators bought (or rented) infected machines to build their botnet. They came to this conclusion because the majority of infected machines constituting the botnet are in Poland and most of the infected machines are running XP, the researchers said. This is relevant, Werner and Preuss said, because most PPI services charge less for machines in Poland and for machines running XP.

Researchers believe this is the fifth version of the Kelihos malware, and Preuss and Werner said those responsible for Kelihos may also be responsible for the Storm and Waledac malware families.

They said the gang made no attempts to prevent or lessen the effectiveness of either Kelihos takedown, suggesting such actions are not serious threats to those running the botnet.

Leave a Reply

You must be logged in to post a comment.