Some Compare Botnet Takedowns to a Game of Whack-a-Mole

 

€œLike I€™ve said before, if you€™re going to take down a botnet, you have to take out the criminals at the top,€ Ollmann wrote in a March 29 blog. €œIt€™s the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption technique€”a delaying tactic, if you will, and maybe an evidence-building process if you€™re lucky. In the case of P2P-based botnets, there€™s very little infrastructure you can get your hands on€”and you€™ll probably end up having to issue commands to botnet victim devices€”which is fraught with legal and ethical problems.€

The problem, he said, is that such operations like sinkholes essentially become a game of whack-a-mole€”security companies may stop or slow one botnet, but another version will quickly pop up somewhere else. And there are tools that the cyber-criminals operating peer-to-peer P2P botnets can use to avoid efforts like sinkholes. With all that, it€™s difficult to agree that the Kelihos botnet has been taken down€”twice.

€œIt would be more precise to say that certain Kelihos campaigns have been disrupted,€ Ollmann wrote. €œThe criminals (and their core infrastructure) haven€™t been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.€

A day after Kaspersky€™s Ortloff wrote about the sinkhole operation against Kelihos, officials at cyber-threat management firm Seculert said in a blog post that they were seeing the Kelihos botnet continuing to spread through Facebook. They had discovered the social strain of the botnet a few weeks earlier, and that as of this week, it had infected more than 70,000 Facebook users, mostly in Poland and the United States.

The new Kelihos variant€”which the Seculert official were still referring to as Kelihos.B€”is leveraging a known social worm malware first noted in April 2011. The social worm malware sends out a message to all the victim's friends, directing them to a URL that includes a photo album link. The link actually downloads a malicious file, which at the time was fake antivirus software. The malware also creates a dummy blog at Blogger.com, which then redirects more traffic to it, according to Seculert.

€œUnfortunately, at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm,€ the Seculert officials wrote. €œAlso, there is still communication activity of this malware with the command-and-control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam.€

They doubted that this is a new variant, or a Kelihos.C. €œAs the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B,€ they wrote.