Kaspersky Lab, Kyrus Tech and Microsoft Disable the Hlux/Kelihos Botnet
September 2011 by Kaspersky Lab
In their ongoing assault against botnet operators and the hosting companies that allow anonymous domain registrations which facilitate them, Kaspersky Lab, Microsoft and Kyrus Tech have successfully worked together to take out the Kelihos botnet, originally named Hlux by Kaspersky Lab.
Kelihos was used for delivering billions of spam messages, stealing personal data, performing DDoS attacks and many other criminal activities, via an estimated 40,000 computers. Microsoft has also taken legal action against 24 individuals in connection with the infrastructure behind the botnet, in a civil case that enabled the takedown of the domains being used to command and control the botnet. Microsoft’s legal action included declarations submitted to court, to which contributions were made by Kaspersky Lab, and also a direct declaration from Kyrus Tech, providing detailed information and evidence regarding the Kelihos botnet.
Kaspersky Lab has played a pivotal role in taking down the botnet, tracking it since the beginning of 2011, when it started collaborating with Microsoft in tackling Kelihos, including sharing its live botnet tracking system with the US company. Kaspersky Lab has also ensured that the botnet cannot be controlled anymore, and continues to make sure that this is the case. Its specialists reversed-engineered the code used in the bot, cracked the communication protocol, discovered the weaknesses in the peer-to-peer infrastructure, and developed the corresponding tools to counteract it. Since the offending domains used in the botnet have gone offline via court orders Microsoft had secured, Kaspersky Lab has been “sinkholing” the botnet by getting inside its complex internal communications to bring it under control.
Speaking of the continuing role Kaspersky Lab is playing in controlling Kelihos, Tillmann Werner, senior malware analyst of Kaspersky Lab Germany, said: “Since Kaspersky Lab’s sinkholing operation began on 26 September, the botnet has been inoperable. And since the bots are communicating with Kaspersky Lab’s machine now, data mining can be conducted to track infections per country, for example. So far, Kaspersky Lab has counted 61,463 infected IP addresses, and is working with the respective ISPs to inform the network owners about the infections.”
Kelihos is a peer-to-peer botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network’s dynamic structure. Routers are infected machines with public IP addresses. They run the bot by sending out spam, collecting email addresses, sniffing out user credentials from the network stream, etc.
Microsoft has announced that its Malware Protection Center has added detection for the Kelihos malware to its Malicious Software Removal Tool. Since this tool is well-distributed, the number of infections that have already been cleaned up is significant.