Some Compare Botnet Takedowns to a Game of Whack-a-Mole
Like Ive said before, if youre going to take down a botnet, you have to take out the criminals at the top, Ollmann wrote in a March 29 blog. Its the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption techniquea delaying tactic, if you will, and maybe an evidence-building process if youre lucky. In the case of P2P-based botnets, theres very little infrastructure you can get your hands onand youll probably end up having to issue commands to botnet victim deviceswhich is fraught with legal and ethical problems. The problem, he said, is that such operations like sinkholes essentially become a game of whack-a-molesecurity companies may stop or slow one botnet, but another version will quickly pop up somewhere else. And there are tools that the cyber-criminals operating peer-to-peer P2P botnets can use to avoid efforts like sinkholes. With all that, its difficult to agree that the Kelihos botnet has been taken downtwice.A day after Kasperskys Ortloff wrote about the sinkhole operation against Kelihos, officials at cyber-threat management firm Seculert said in a blog post that they were seeing the Kelihos botnet continuing to spread through Facebook. They had discovered the social strain of the botnet a few weeks earlier, and that as of this week, it had infected more than 70,000 Facebook users, mostly in Poland and the United States. The new Kelihos variantwhich the Seculert official were still referring to as Kelihos.Bis leveraging a known social worm malware first noted in April 2011. The social worm malware sends out a message to all the victim's friends, directing them to a URL that includes a photo album link. The link actually downloads a malicious file, which at the time was fake antivirus software. The malware also creates a dummy blog at Blogger.com, which then redirects more traffic to it, according to Seculert. Unfortunately, at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm, the Seculert officials wrote. Also, there is still communication activity of this malware with the command-and-control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. They doubted that this is a new variant, or a Kelihos.C. As the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B, they wrote.
It would be more precise to say that certain Kelihos campaigns have been disrupted, Ollmann wrote. The criminals (and their core infrastructure) havent been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.