Last year Microsoft and Kaspersky took down the original Kelihos. Since then a new variant, Kelihos.B has appeared – and this time Kaspersky partnered with new security firm CrowdStrike, Dell SecureWorks and the HoneyNet Project to take it down.
The process was similar. Kelihos.B, like its original, is a peer-to-peer botnet. A peer-to-peer botnet has an extra layer of infected computers, each one of which can act as a command server – so taking down one, or even two or three, does not seriously affect its operation. In this instance a further layer of distributed C&C servers are registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster. The result is a resilient botnet that very effectively hides the botmaster.
But, writes Tillmann Werner on the CrowdStrike blog, “peer-to-peer botnets are fairly complex distributed systems - and complex systems are usually hard to secure. We identified some flaws in the architecture that allow us to inject specially crafted messages into the botnet.” A worldwide network of machines ‘within’ the botnet but controlled by the good guys was set up; and on “March 21, we finally began the synchronized propagation of our sinkhole IP-address to the peer-to-peer network,” writes Kaspersky.
The effect was remarkably rapid. The command and control infrastructure was abandoned by the Kelihos.B gang within two days of the operation commencing: Kelihos.B has been sunk and is under the control of the good guys. Like Microsoft and the Zeus botnets, Kaspersky, Crowdstrike and their partners are now working with the ISPs to notify infected users and help them get clean.
What do we learn from this? Firstly, the sheer volume of infected users is surprising: after just 6 days, 116,000 bots were connecting to the sinkhole. Kelihos.B has only been operating since the latter part of last year, effectively starting after the demise of the original Kelihos and using what is largely the same code. It demonstrates that unless the gangs behind the botnets are themselves taken down, the botnets will reappear elsewhere; and quite quickly. So quickly that there are already reports of Kelihos.C, compiled and relaunched and spreading via Facebook.
The reason is simple: the botnet is not the bot code. “Unfortunately, tweaking and recompiling is trivial if you have the source code, which obviously the Kelihos gang do,” comments David Harley, a senior research fellow with ESET. “There’s a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.”
One other development was noted in the Kelihos.B takedown: it contained multiple different versions of the bot code. “One possible explanation,” writes Crowdstrike’s Werner, “is that the operators partitioned their resources and rented them out to different affiliates for spam campaigns and the like, but had the bots share the network infrastructure as it becomes less likely for a bot to get disconnected from the peer-to-peer network the bigger its size is.”