Kelihos variants slipped Microsoft's noose

Although Microsoft struck a massive blow at the Kelihos/Hlux botnet last year, Microsoft's ally in the strike, Kaspersky Labs, has now found new variants of the Kelihos bots, calling into question whether the operation was effective.

(Red Robot 3 image by Splenetic, Royalty Free)

The Kelihos/Hlux botnet was previously dealt a blow through a method called sinkholing. During normal operation, botnets communicate with one or more command-and-control centres. The compromised computers need to know where the command-and-control centres are, so the botnet's operators set up domains and modify their DNS entries to point to the IP address of the command-and-control centre's servers.

Sinkholing comes into effect when researchers contact the domain registrars, prove that the domains are being used for malicious purposes and take control of their DNS entries, substituting their own server IP addresses. This fools infected computers into communicating with the researchers' server instead. At this point, no further instructions are sent out to compromised clients, as attempts to self-cleanse the botnets have numerous ethical and legal considerations. Although being cut off from the command-and-control servers effectively neutralises infected computers from being able to conduct illegal activities, the PCs are still left open to future exploitation by criminals.

The method was seen as a better alternative than attempting to gain control of the command-and-control servers. The latter strategy required a highly coordinated surprise attack, since operators could always modify the DNS entries of their domains and point to new servers if they ever realised or suspected that their physical infrastructure was being compromised.

However, Kaspersky has said that sinkholing may not be very effective if the botnet's operators are not apprehended. It found that shortly after the announcement made by Microsoft and itself last year, new versions of the bot's code had begun to surface, either written by the existing yet-to-be-caught operators, or by a new player that had obtained the botnet source code.

The presence of two different keys used to encrypt communications in the new version of the botnet code indicates that there may be two different groups controlling the botnet, the company wrote in a blog post.

The company said that sinkholing might still be used to neutralise botnets, but it would require slightly different techniques, including pushing tools on to infected machines to remove infection, and forcing operators to re-infect if they want to build another botnet. Ultimately, though, the company said that the most effective way to disable botnets is to find the operators.

Microsoft has recently accused former antivirus employee Andrey Sabenikov of being involved in the botnet; however, he has said that he is innocent.