Security experts have discovered and dismantled an incarnation of the Kelihos botnet, one that was more powerful than its predecessor.
According to a blog post from security start-up CrowdStrike, which worked in tandem with researchers from other security organisations to disable the botnet, the operators of Kelihos.B made some changes to the communication protocol when compared to the first version.
For example, the malware controlled by the botnet featured a flash-drive infection technique and Bitcoin-mining theft functionality, the latter which enabled irreversible electronic cash payments.
Kelihos.B also was difficult to disable because, like its predecessor, used a decentralised, peer-to-peer infrastructure, featuring "a distributed layer of command-and-control servers” located in Sweden, Russia and Ukraine that are controlled by its masters.
“We are currently seeing over 110,000 [compromised computers] with this particular botnet,” Marco Preuss, head of global research and analysis for Kaspersky Lab in Germany, said during a webinar Tuesday announcing the disruption. “This is more than 2 1/2 times bigger than the first one.”
Most of the botted computers are located in Poland, where almost one quarter of the infections have been found, Preuss said. The United States is the second most-infected country.
Tillman Werner, senior research scientist at CrowdStrike, said Kelihos, also known as Hlux, was likely spread via a pay-per-install model, by which hackers who already have control of infected computers sell that access to criminal gangs looking to install their malware.
A majority of the systems infected (91,950) run Windows XP, which was released in 2001 and pre-dates the XP, Vista and 7 platforms, according to the CrowdStrike blog post.
“It's an unusually high degree of Windows XP machines,” Werner said during the webinar. “We can only speculate, but they were probably used because they were cheaper to get.”
A week ago, Kapersky Lab, in conjuction with CrowdStrike, Dell SecureWorks, and research organisation The Honeynet Project, created a "sinkhole" that tapped into the peer-to-peer network of the malware. Preuss said that within the first 24 hours, most of the new compromised computers, which likely were looking for instructions, connected to the sinkhole under their control.
Although Microsoft took down the original Kelihos botnet in September and subsequently filed a lawsuit against Russian citizen Andrey Sabelniko, who it believed was the botnet's ringleader, Kelihos.B likely involves many of the same people as the original, Werner and Preuss said.
In addition, they said, this ring is responsible for creating a malware family that includes other prolific botnets, including Waledac and Storm Worm.
“To us, it's 100 percent clear that it's the same gang,” Werner said. “They at least have access to the source code. This second version has some minor adjustments.”
Preuss agreed, adding that after a six-month gap from the first sinkhole created for Kelihos to the second for Kelihos.B, it's likely the attacks came from the same source.
A new attack is expected and may be launched soon.
“We do expect one,” Werner said. “A sinkhole alone does not make a botnet go away.”
And a short time after the webinar ended, Kelihos.C emerged, according to a post Wednesday by security blogger Brian Krebs.