Fresh Back from the Dead Kelihos Botnet Returned to the Grave (Again)


With the opportunity and profit that can be had from running a fraud or spam botnet, it’s really hard to put these things down—even shooting them in the head, like a traditional movie zombie, no longer works. Over the past six months a highly networked task group of multiple security firms worked together to infiltrate and destroy a manifestation of the Kelihos botnet that used peer-to-peer communications to operate.

The team consisted of Kaspersky Lab’s experts, the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project who went after the resurrected remains of a spybot and spam network originally dismantled in September 2011 by Microsoft. Much like other modern spyware and botnets, the Kelihos army had learned a new trick and switched from a “shoot it in the head” zombie with a central command-and-control server to a distributed zombie horde using peer-to-peer communication.  Of course, the ZeuS botnet recently made this change and it didn’t save a network of that malware from Microsoft’s most recent operation.

The new peer-to-peer trick may make these botnets harder to kill, but it doesn’t make them invulnerable. The task group of security experts sent to dismantle the new Kelihos incarnation went in with subterfuge and veteran experience and came out with yet another campaign medal and victory under their belts. According to The Register, the battle was a complex and yet interesting one of programmer versus programmer,

Both incarnations of Hlux/Kelihos were peer-to-peer (P2P) type botnets, which means every compromised machine on the network can act as a server and/or client. As such Kelihos was able to operate without central command and control (C&C) servers. To neutralise the more flexible P2P botnet, security experts first infiltrated the botnet with a network of machines under their control. These imposters then instructed infected hosts to look for instructions at a sinkhole under the control of security researchers, effectively rendering infected machines inert.

Over a short period, the sinkhole network increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control, while preventing the malicious bot-operators from accessing them. As more infected machines were neutralised, the P2P architecture caused the botnet’s infrastructure to “sink” as its strength weakened exponentially with each computer it lost control of.

It looks like the bot makers even attempted to deploy countermeasures when they realized they were under attack—however, it was for naught as the task group stole control from them and bled the zombie network from its necromantic-malware masters.

This is similar to the way that Microsoft killed the original Kelihos network in September 2011.

After the control of the botnet had been largely shifted to Kaspersky Labs, the experts on the task group began a post-mortem of the necrotic botnet. Form their findings they counted 109,000 infected IP addresses, the majority of which were situated in Poland and the US. They also discovered a huge majority (84 per cent) of those computer infected were running Windows XP.

If you’re curious about the operation and what was discovered, further analysis and narrative is available over at Kaspersky Lab’s blog.