For the second time in six months, researchers from the Russian antivirus company, Kaspersky Lab, carried out an operation to take down the newest iteration of the Kelihos botnet, also known as “Hlux.”

Microsoft and Kaspersky worked together in September, 2011, on the first Kelihos take-down. The bot then resurfaced in January only to be shut-down again this month by a combination of private firms including Kaspersky, Dell Secure Works and Crowd Strike Inc. 

Kelihos is used to send spam, carry out DDoS attacks, and steal online currency such as bitcoin wallets. It operates as a so-called “peer-to-peer” bot network, which are more difficult to take down than those with a centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at CrowdStrike. Peer-to-peer botnets are distributed, self-organizing, and may have multiple command and control servers that disguise themselves as peers. In Kelihos’s case, there were three C&C servers and each had two unique IP addresses, he said.

Kaspersky Lab said it will “sinkhole” the botnet – taking control of the botnet’s command and control servers and preventing them from distributing any more malicious content. While the private firm does not have the legal authority to sanitize infected machines, Kaspersky will contact the Internet service providers (ISPs) whose customers are infected, and hope they take action. 

Despite their success, the re-emergence of Kelihos just months after being “taken down” in a similar, coordinated effort underscores the difficulty of wrangling global networks of infected computers. Werner and Kaspersky Lab colleague Marco Preuss warned on Wednesday that Kelihos will emerge again.

Preuss and Werner believe that the bot was able to resurface so quickly because it used a pay-per-install (PPI), meaning, the operators bought (or rented) infected machines to build their botnet. This theory is fortified, the researchers claim, by two phenomena. The majority of infected machines constituting the botnet are located in Poland and most of the infected machines are running XP. This is relevant, the Werner and Preuss believe, because most PPI services charge less for machines in Poland and for machines running XP.

Researchers believe that this is the fifth version of the Kelihos malware, and Preuss and Werner said that those responsible for Kelihos may also be responsible for the Storm and Waledac malware families.

They said the gang made no attempts to prevent or lessen the effectiveness of either Kelihos takedown, suggesting that such actions aren’t deemed serious threats by those running the botnet.

“It is one of the challenges we face in the IT security industry,” Preuss said in an email interview with Threatpost. “We can neutralize botnet attacks through techniques like “sinkhole-ing”, which delays cyber criminal activities, but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them,” he wrote.

You can read Securelist’s write-up on the takedown here and Crowd Strike’s here.

Categories: Malware