It’s been a bad week for botnets: following Microsoft’s takedown of servers pushing the Zeus family of malware, the Kelihos has been dealt a fatal blow.
A group of companies, including Kaspersky Lab, Dell SecureWorks and the Honeynet Project, have joined forces to take control of the Kelihos botnet, also known as Hlux.
This botnet was a second version of one that was originally shutdown in September 2011. Kaspersky Labs says that this new incarnation is nearly three times the size of the original, with 110,000 infected hosts neutralised within five days of the takedown. This compares to just 40,000 for the original.
Like its predecessor, this version of Kelihos/Hlux used its network of infected computers to send spam, steal personal data and perform distributed denial of service (DDoS) attacks on specific targets, Kaspersky said. However the newer version added features that meant it could steal digital wallets. It was written using the same code, Kaspersky analysts claimed.
Kelihos.B, as the new variant is also known, was taken down partly thanks to the way it was developed. It was a peer-to-peer botnet, meaning every member of the network can act as a server and/or client. This differs from most botnets, which rely on a single command and control server.
The group created a global network of distributed machines that were installed into the botnet’s infrastructure. This is known as a sinkhole, and enables malicious traffic to be diverted to it. Essentially this means the group had control of the botnet.
Kaspersky Lab’s Stefan Ortloff explained what happened next: "After a short time, our sinkhole-machine increased its "popularity" in the network – which means that a big part of the botnet only talks to a box under our control."
Content from our partners
"We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys," he added.
However, although it seems this operation was a success it seems that much like after the first botnet was shut down, Kelihos/Hlux may be living once again.
According to the influential Krebs on Security blog, just hours after this takedown, Kelihos.C was compiled and launched. It appears to be spreading via Facebook, said Brian Krebs.
