Security researchers from Kaspersky Lab, Dell SecureWorks and other places generated a lot of headlines this week with their announcement that they had taken down a new version of the Kelihos peer-to-peer botnet.
In a March 28 post on Kasperskys SecureList blog, Stefan Ortloff, a security expert with the company, said that the sinkhole operationdesigned to draws infected computers away from the botnets command-and-control (C&C) server and out of reach of the botnets operatorswas successful in disabling the newest version of Kelihos, which was first discovered in January.
“After a short time, our sinkhole-machine increased its ‘popularity’ in the networkwhich means that a big part of the botnet only talks to a box under our control,” Ortloff wrote. “We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys.”
However, officials with other security software companies are doubtful that the operation was completely successful. It may have disrupted what the botnet operators were doing, but they said they already are seeing a third version of the Kelihos taking new avenues of distribution, including through Facebook.
Sinkholes and similar operations may slow down the Kelihos creators for a while, but until the people behind the botnets are taken out of the picture, more versions will show up, according to Gunter Ollmann, vice president of research for security software vendor Damballa.
Some Compare Botnet Takedowns to a Game of Whack-a-Mole
Like Ive said before, if youre going to take down a botnet, you have to take out the criminals at the top, Ollmann wrote in a March 29 blog. Its the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption techniquea delaying tactic, if you will, and maybe an evidence-building process if youre lucky. In the case of P2P-based botnets, theres very little infrastructure you can get your hands onand youll probably end up having to issue commands to botnet victim deviceswhich is fraught with legal and ethical problems.
The problem, he said, is that such operations like sinkholes essentially become a game of whack-a-molesecurity companies may stop or slow one botnet, but another version will quickly pop up somewhere else. And there are tools that the cyber-criminals operating peer-to-peer P2P botnets can use to avoid efforts like sinkholes. With all that, its difficult to agree that the Kelihos botnet has been taken downtwice.
It would be more precise to say that certain Kelihos campaigns have been disrupted, Ollmann wrote. The criminals (and their core infrastructure) havent been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.
A day after Kasperskys Ortloff wrote about the sinkhole operation against Kelihos, officials at cyber-threat management firm Seculert said in a blog post that they were seeing the Kelihos botnet continuing to spread through Facebook. They had discovered the social strain of the botnet a few weeks earlier, and that as of this week, it had infected more than 70,000 Facebook users, mostly in Poland and the United States.
The new Kelihos variantwhich the Seculert official were still referring to as Kelihos.Bis leveraging a known social worm malware first noted in April 2011. The social worm malware sends out a message to all the victim’s friends, directing them to a URL that includes a photo album link. The link actually downloads a malicious file, which at the time was fake antivirus software. The malware also creates a dummy blog at Blogger.com, which then redirects more traffic to it, according to Seculert.
Unfortunately, at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm, the Seculert officials wrote. Also, there is still communication activity of this malware with the command-and-control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam.
They doubted that this is a new variant, or a Kelihos.C. As the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B, they wrote.