Monster Kelihos botnet slain

Powered by SC Magazine
 

Security organisations have teamed up and killed an embodiment of the Kelihos botnet.

Security experts have discovered and dismantled an incarnation of the Kelihos botnet, one that was more powerful than its predecessor.

According to a blog post from security start-up CrowdStrike, which worked in tandem with researchers from other security organisations to disable the botnet, the operators of Kelihos.B made some changes to the  communication protocol when compared to the first version.

For example, the malware controlled by the botnet featured a flash-drive infection technique and Bitcoin-mining theft functionality, the latter which enabled irreversible electronic cash payments.

Kelihos.B also was difficult to disable because, like its predecessor, used a decentralised, peer-to-peer infrastructure, featuring "a distributed layer of command-and-control servers” located in Sweden, Russia and Ukraine that are controlled by its masters.

“We are currently seeing over 110,000 [compromised computers] with this particular botnet,” Marco Preuss, head of global research and analysis for Kaspersky Lab in Germany, said during a webinar Tuesday announcing the disruption. “This is more than 2 1/2 times bigger than the first one.”

Most of the botted computers are located in Poland, where almost one quarter of the infections have been found, Preuss said. The United States is the second most-infected country.

Tillman Werner, senior research scientist at CrowdStrike, said Kelihos, also known as Hlux, was likely spread via a pay-per-install model, by which hackers who already have control of infected computers sell that access to criminal gangs looking to install their malware.

A majority of the systems infected (91,950) run Windows XP, which  was released in 2001 and pre-dates the XP, Vista and 7 platforms, according to the CrowdStrike blog post.

“It's an unusually high degree of Windows XP machines,” Werner said during the webinar. “We can only speculate, but they were probably used because they were cheaper to get.”

A week ago, Kapersky Lab, in conjuction with CrowdStrike, Dell SecureWorks, and research organisation The Honeynet Project, created a "sinkhole" that tapped into the peer-to-peer network of the malware. Preuss said that within the first 24 hours, most of the new compromised computers, which likely were looking for instructions, connected to the sinkhole under their control.

Although Microsoft took down the original Kelihos botnet in September and subsequently filed a lawsuit against Russian citizen Andrey Sabelniko, who it believed was the botnet's ringleader, Kelihos.B likely involves many of the same people as the original, Werner and Preuss said.

In addition, they said, this ring is responsible for creating a malware family that includes other prolific botnets, including Waledac and Storm Worm.

“To us, it's 100 percent clear that it's the same gang,” Werner said. “They at least have access to the source code. This second version has some minor adjustments.”

Preuss agreed, adding that after a six-month gap from the first sinkhole created for Kelihos to the second for Kelihos.B, it's likely the attacks came from the same source.

A new attack is expected and may be launched soon.

“We do expect one,” Werner said. “A sinkhole alone does not make a botnet go away.”

And a short time after the webinar ended, Kelihos.C emerged, according to a post Wednesday by security blogger Brian Krebs.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Monster Kelihos botnet slain
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 337

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 140

Vote