Botnet Taken Down, then Resurfaces

Thursday, February 2, 2012 @ 05:02 PM gHale

Like a bad horror movie, the Kelihos botnet has sprung back to life and is using only slightly different versions of the original malware and controller list.

The rejuvenation of the botnet illustrates the difficulty of permanently disabling these networks and the perseverance of the attackers who count on them for their livelihood.

Malware with Customer Support
New Software Cuts Costs, Risk
Scanner Email Hides Malware
Social Media a Fine Tool; Security Disaster

In September, researchers from Kaspersky Labs and Microsoft worked together on a coordinated takedown of the Kelihos botnet, which involved a common technique known as sinkholing. This tactic involves researchers directing the bots on infected computers to contact a server they control, rather than one controlled by the attackers. In the case of Kelihos, which is a peer-to-peer botnet, Kaspersky researchers pushed out a new peer address, which the existing infected PCs began connecting to in order to ask for new instructions. That enabled the researchers to control the botnet.

“Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only,” said Tillmann Werner, a Kaspersky Lab researcher who helped coordinate the takedown. “Experts call such an action sinkholing – bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore.”

At the time of the takedown, Werner said the sinkholing of Kelihos was not a permanent answer because the peers in the network would eventually begin communicating with other controllers and the sinkhole peer would lose its dominant position. The real solution would have been to push an update to the infected machines that removed the infection or disabled the bot, but there are legal and ethical obstacles to that course of action.

So what’s happened since that takedown in September is pretty much what Werner predicted. The Kelihos network has reformed and is back in action, in only slightly modified form. The encryption routine the malware uses is a bit different from the old version, shuffling around the spots in which Blowfish and Triple-DES keys see use. The signing keys for certain components of the malware also changed.

“As you can see, two different RSA keys are used within a tree which makes us think that probably two different groups are in possession of each key and are currently controlling the botnet. As for the tree structure, all the fields and their meanings remained the same. The most significant change is that the hashing algorithm for the fields’ names is no longer used. Instead, each field now corresponds to 1-2 character name,” said Maria Garnaeva, a Kaspersky Lab analyst.

Leave a Reply

You must be logged in to post a comment.