Botnets: Taken down or merely disrupted?

Earlier this month, Microsoft commented that it had seen some “evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet” – but that it has “no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time.”

Websense Security Labs is one of the organizations that has found a new and apparently active variant of Kelihos. This is discussed in some technical detail in the blog posting “Long Life to Kelihos.” The whole episode indicates the resilience and persistence of botnets. While Microsoft talks in terms of ‘taking down’ botnets, other researchers tend to use the phrase ‘disrupting botnets.’ What isn’t certain is whether the new Kelihos is a completely new botnet, or a variant of the old Kelihos system using the same network of compromised PCs. Microsoft says ‘probably no, it isn’t the old Kelihos,’ but Websense says ‘probably yes, it is.’ That is, according to Websense, the old Kelihos was merely disrupted.

Carl Leonard, security research manager at Websense, explained the problem to Infosecurity. “Microsoft took credit for disrupting the original rogue network created by Kelihos,” he said, “simply by commandeering the infected computers and obtaining a court order seizing the internet addresses used to help control them. However, their takedown process never actually removed the underlying malware from infected machines, meaning that it would be possible for the attackers to one day regain control of them.”

Legal issues across multiple jurisdictions make it effectively impossible to remotely cleanse infected computers, even when you know where they are. Although you can contact the users, it is up to the users to fix their computers. “Inevitably,” said Leonard, “many didn’t bother.”

“Over time,” continued Leonard, “hackers used the botnet’s complex back-channel network of proxy servers to regain control of these compromised machines. These were then infected with a new variant of Kelihos which uses modified encryption schemes and algorithms to mask communication. Many different keys are being used, suggesting that more than one gang is controlling the botnet.”

The whole episode highlights the difficulty in permanently removing botnets from the internet. “A takedown operation of this scale,” said Leonard, “requires not just beheading the botnet, but ensuring that the infected computers or devices are wiped clean of any infection so that the malware cannot be resurrected in the future.”

What’s Hot on Infosecurity Magazine?