Security researchers from Kaspersky Lab, Dell SecureWorks and other organizations have essentially disabled a newer version of the Kelihos botnet, which Kaspersky and others helped shut down in September 2011.
The new Kelihos version, first discovered in January, was armed with new features that made it more dangerous than the initial botnet, according to researchers at Kaspersky. The peer-to-peer botnet also was significantly larger, compromising almost three times as many computers as the first.
The group of researchersnot only from Kaspersky and Dell, but also CrowdStrike and the Honeynet Projectstudied the new Kelihos for a couple of months, and on March 21 began to take it down with a similar “sinkhole” operation designed to draw the infected computers away from the botnet’s command-and-control server and out of reach of the botnet’s operators.
The sinkhole operation did its job, according to Stefan Ortloff, a security expert at Kaspersky.
“After a short time, our sinkhole-machine increased its ‘popularity’ in the networkwhich means that a big part of the botnet only talks to a box under our control,” Ortloff said in a March 28 post on Kaspersky’s SecureList blog. “We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys.”
Kasperky, Microsoft, SurfNET and Kyrus Tech used similar techniques in September 2011 in an effort code-named Operation b79 to take down the original Kelihos botnetalso known as Hluxby grabbing control of its command-and-control infrastructure. At the time, Kelihos was seen as a smaller botnet, infecting about 41,000 computers. However, it also was effective, generating upwards of 4 billion spam messages per day. These included stock spans, adult content, illegal pharmaceuticals and malware, according to Microsoft.
Researchers believe the original Kelihos was built by the same people responsible for the Waledac bot, which Microsoft shut down in March 2011. After disabling the original Kelihos botnet, Microsoft went after the suspected creators, suing them in court and publishing their names.
The new version of Kelihos was detected in January, and Kaspersky researchers found it had “significant changes in the communication protocol and new ‘features’ like flash-drive infection [and] bitcoin-mining wallet theft,” Kaspersky’s Ortloff wrote.
It also was much larger; after six days of operation, it already had infected as many as 116 computers, the security software firm said.
However, not all in the security field are convinced the threat from the new Kelihos version is over. According to cyber-threat management firm Seculert, the botnetwhich officials there dubbed Kelihos.Bhas found a new way to propogate itself: through Facebook. In a March 29 blog post, Seculert officials said Kelihos.B was leveraging a well-known social worm malware that researchers first warned the industry about in April 2011.
The social worm malware would send out a message to all the victim’s friends directing them to a URL that included a photo album link. The link would actually download a malicious file, which at the time was fake antivirus software. The malware also created a dummy blog at Blogger.com, which then redirected more traffic to it, according to Seculert.
“Kelihos.B is currently using the same photo album worm to spread their own malware via Facebook,” the company said in its blog. “This may bring back questions about the identity and the origin of the Kelihos botnet and recent trends of collaboration between cyber-criminal groups.”
Securlert officials said they’d been able to identify more than 70,000 Facebook users that are infected with the Facebook worm, with the bulk of those users being in Poland and the United States. They noted Kaspersky’s sinkhole operation and the shutting down of the Kelihos.B botnet, though they added they were skeptical that Kaspersky and its partners were able to shut it down completely.
“Unfortunately, at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm,” the officials wrote. “Also, there is still communication activity of this malware with the command-and-control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines and actively sending spam.”
Some may consider this a new variant, for Kelihos.C, but “as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B,” they said.
Kaspersky’s Ortloff said that a few hours after the security researchers started their latest sinkhole takedown operation, the Kelihos “herders tried to take countermeasures by rolling out a new version of their bot. We also noticed that the bot-herders stopped their network from sending out spam and DDoS-[distributed denial of service] attacks. Also the botnets’ fast-flux-network list remains empty since a few hours.”
However, after six days of the operation, Kaspersky researchers now have more than 116,000 infected machines connected to their sinkhole.