View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 28, 2012updated 22 Aug 2016 12:56pm

Now Kelihos goes as botnets suffer bad week

Kaspersky and Dell team up to take down spam botnet, but reports suggest a new version is already up and running

By Steve Evans

It’s been a bad week for botnets: following Microsoft’s takedown of servers pushing the Zeus family of malware, the Kelihos has been dealt a fatal blow.

A group of companies, including Kaspersky Lab, Dell SecureWorks and the Honeynet Project, have joined forces to take control of the Kelihos botnet, also known as Hlux.

This botnet was a second version of one that was originally shutdown in September 2011. Kaspersky Labs says that this new incarnation is nearly three times the size of the original, with 110,000 infected hosts neutralised within five days of the takedown. This compares to just 40,000 for the original.

Like its predecessor, this version of Kelihos/Hlux used its network of infected computers to send spam, steal personal data and perform distributed denial of service (DDoS) attacks on specific targets, Kaspersky said. However the newer version added features that meant it could steal digital wallets. It was written using the same code, Kaspersky analysts claimed.

Kelihos.B, as the new variant is also known, was taken down partly thanks to the way it was developed. It was a peer-to-peer botnet, meaning every member of the network can act as a server and/or client. This differs from most botnets, which rely on a single command and control server.

The group created a global network of distributed machines that were installed into the botnet’s infrastructure. This is known as a sinkhole, and enables malicious traffic to be diverted to it. Essentially this means the group had control of the botnet.

Kaspersky Lab’s Stefan Ortloff explained what happened next: "After a short time, our sinkhole-machine increased its "popularity" in the network – which means that a big part of the botnet only talks to a box under our control."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys," he added.

However, although it seems this operation was a success it seems that much like after the first botnet was shut down, Kelihos/Hlux may be living once again.

According to the influential Krebs on Security blog, just hours after this takedown, Kelihos.C was compiled and launched. It appears to be spreading via Facebook, said Brian Krebs.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.