Cybersecurity researchers have revealed on Wednesday that they have wrested control of the Kelihos.B Botnet using a dose of the botnet’s own mechanism against it.
In a briefing conducted by Kaspersky Lab’s Marco Preuss and CrowdStrike Inc.’s Tillmann Werner, it was revealed that the Kelihos.B Botnet is now under the control of Kaspersky after a “sinkholing” operation was conducted by a team comprised of Kaspersky Lab, the CrowdStrike Intelligence Team, the Honeynet Project and Dell Secureworks.
What the team of cybersecurity experts did was reverse engineer the code which was the backbone of the Kelihos.B botnet and then propagate special code through the peer-to-peer distribution mechanism of the botnet to hijack it.
Botnets like Kelihos and Kelihos.B are more resilient to takedown attempts because they use a more sophisticated structure which uses peer-to-peer communication between the infected computers serving as worker nodes and router nodes with the C&C servers used by the botmasters of the network.
However, by propagating their rigged code through the peer-to-peer network of the Kelihos.B network, the cybersecurity experts from Kaspersky and co were able to effectively limit communication of the botnet to their servers only.
According to the team, the Kelihos.B owners have already abandoned their botnet’s C&C servers.
The Kelihos.B botnet is a new version of the Kelihos botnet – or the Hlux botnet as Kaspersky calls it – which was taken down by Microsoft and Kaspersky last year.
The group which made Kelihos has been around since 2007. They are believed to have also created the Storm and Waledac botnets and are also likely behind the Kelihos.B botnet.
While the two botnets share similarities in their codes, the Kelihos.B botnet is significantly larger than the original Kelihos botnet which had about 40,000 infected machines.
By “sinkholing” the Kelihos.B botnet, the team has released more than 110,000 affected computers from being helplessly controlled by the former group which created and ran the botnet.
According to the team, the top 10 Kelihos.B infected countries are Poland (24.5%), the U.S. (10.8%), Turkey (5.0%), Spain (3.7%), India (3.4%), Argentina (3.1%), Mexico (3.1%), Romania (2.9%), Bulgaria (2.6%), and Ukraine (2.5%).
In a breakdown of Microsoft Windows versions infected by the botnet, Windows XP had the most number of infections with 91,950 machines in the botnet installed with the operating system.
There were also 9,428 Windows 7 machines, 5,335 Windows 7 SP1 machines, 1,307 Windows Vista SP2 machines, 1,100 Windows Vista SP1 machines, 671 Window Vista machines, and 253 Windows Server 2003 machines in the botnet.
The Kelihos.B botnet was used mainly for spam campaigns and DDoS attacks, the researchers have revealed.
However, it was also revealed that the Kelihos.B botnet could also steal contents of a Bitcoin wallet, a type of cyber-currency.
It was also revealed that the owners of the Kelihos.B botnet may have also rented out parts of their botnets to buyers.
Nonetheless, the researchers from Kaspersky, CrowdStrike, Honeynet Project and Dell Secureworks can only do so much to stop the botnet.
The ultimate step to take to stop this botnet from working would be to clean the infected machines of the malware code.
The Kelihos.B botnet, as of the moment, is just under the control of the researchers but it is still operational. It’s just not communicating with the original owners of the botnet as the cybersecurity experts have kept the infected machines inside their sinkhole, communicating only with their servers and not getting any more instructions from the original C&C servers.
“We will keep the sinkhole up as long as possible,” Tillmann Werner, CrowdStrike senior research scientist said. “Hopefully we will see the number of infected machines decrease over time.”
This brings the team to a similar predicament Kaspersky was in after the security firm “sinkholed” the first Kelihos botnet.
Kaspersky said then that theoretically, because the machines are in their sinkhole and they know how the botnet updates, they could push an update to the infected machines which terminates the code running on the machine and kills the botnet one machine at a time.
A similar approach could be taken with the Kelihos.B botnet but the legality of pushing an update to the infected machines is a grey area.
Currently, the team which has successfully “sinkholed” the Kelihos.B botnet are working with ISPs so that they could notify users of the machines which have IP addresses confirmed to be in the botnet and hopefully clean the machines of their malware infection.