Second Kelihos botnet steps into a sinkhole

A group of security vendors has claimed the scalp of the second incarnation of the Kelihos botnet, believed to be almost three times the size of its spam-sending predecessor.

A team of researchers from four security vendors has taken control of the resurrected Kelihos botnet, by luring infected bots into a sinkhole address. Image credit: Kaspersky Labs

The peer-to-peer Kelihos botnet, also known as Hlux, was sucked into a 'sinkhole' by a small group of security experts from Kaspersky Lab, Dell SecureWorks, CrowdStrike Intelligence Team and the Honeynet Project.

"We pretended to be one of the peers in the peer-to-peer network," Tillmann Werner, a senior malware researcher at Kaspersky, said in press webcast on Wednesday. "We crafted a special peer list with all of the entries pointing to our sinkhole — our sinkhole is the only machine they [could] see, and they [were] trapped."

We pretended to be one of the peers in the peer-to-peer network. We crafted a special peer list with all of the entries pointing to our sinkhole.

– Tillmann Werner, Kaspersky

Botnets, or networks of compromised computers, can have a number of different structures. A peer-to-peer botnet has a net of connections between multiple machines and a command-and-control server. This is in contrast to a centralised botnet, where machines are not connected to each other and only communicate with the command-and-control server.

The first Kelihos botnet was made up of about 40,000 systems, which sent out an estimated 3.8 billion spam emails each day. By contrast, the new version wormed its way into 116,000 computers after six days of operation, according to Kaspersky. Both networks carried out targeted distributed denial-of-service attacks, as well as distributing spam and stealing data, the company said. However, the second botnet added ability to carry out Bitcoin mining and wallet theft.

Kaspersky believes this second incarnation of the Kelihos botnet is actually the fifth botnet by a single gang. While it is new, it is built on the same code as the original Kelihos, which was taken down by Microsoft and other companies. Previous versions included the Storm and Waledac botnets, according to Werner.

Sinkhole operation

The researchers deliberately drew the infected bots away from the command-and-control server by propagating the sinkhole address across the peer-to-peer network. They claim to have put the botnet out of reach of its criminal controllers.

"The infected machines are not a risk anymore — we can't think of any way [the original owners] can regain control," Werner told ZDNet UK. "We haven't seen any counteractions by the gang at all. It seems as soon as they [saw] someone tampering with botnet, they [gave] it up."

The team set up the sinkhole in the Netherlands last Wednesday. Within six days they controlled most of the botnet, according to a Kaspersky blog post.

The machines are still infected, and the researchers are relying on ISPs to inform affected users. The country with the most Kelihos-compromised machines is Poland, which accounted for 24.5 percent of the botnet. The US made up 10.8 percent, with Turkey, Spain, and other countries in descending order, according to a Kaspersky presentation.

According to Marco Preuss, a virus analyst at Kaspersky, "just a few people" from the different organisations worked closely together on the takedown.

"Kaspersky, Dell, Crowdstrike and [the Honeynet Project] exchanged our expertise of this botnet," Preus told ZDNet UK. "We joined forces to poison the botnet — everyone dedicated resources to speed up the poisoning process."