Botnet Takedown: Researcher Describes How Kelihos Fell

Dennis Fisher talks with Kaspersky Lab Researcher Tillmann Werner about the takedown of the Kelihos botnet, the network’s unique multi-tiered architecture, its custom protocol and the ethics and legality of pushing updates to disable bots on users’ machines.

Dennis Fisher talks with Kaspersky Lab Researcher Tillmann Werner about the takedown of the Kelihos botnet, the network’s unique multi-tiered architecture, its custom protocol and the ethics and legality of pushing updates to disable bots on users’ machines.

*Podcast audio courtesy of sykboy65

Subscribe to the Digital Underground podcast on 

Suggested articles

Discussion

  • Cos on

    Thanks for a very insightful podcast! Great to hear all the tech details of how it happened.

  • Benjamin Wright on

    I salute what Microsoft and Kaspersky have done regarding the Kelihos botnet.  I have a legal question, which is not intended to be critical or hostile toward Microsoft or Kaspersky.  It is intended to facilitate learning and public discussion.  

    In this podcast Tillmann feels that pushing out an update to infected machines might be illegal because it would constitute tampering with the code on machines.  I respect his feeling.  

    However he says his team introduced a new peer into the botnet and persuaded the peers to view the new peer as very popular.  Tillmann understandably refrains from telling how the team promoted the new peer.  But does not the promotion of the new peer induce the code in infected machines to change without the knowledge and explicit authorization of the infected machine owners?  Would that not be tampering too?

    I honestly do not know the answer to my question.  I seek a good discussion among people who care about these topics.

    --Benjamin Wright

    Attorney

    Dallas, Texas

    SANS Institute Instructor, Law of Data Security and Investigations

    http://legal-beagle.typepad.com/security/2011/08/crime.html

  • Sniper on

    It depends on how you actually change code on someone's machine. If a user is subscribed to windows updates for instance, and Microsoft deploys an update that removes the virus then that is authorised modification of their computer which they subscribed to. They could even make a "license agreement" pop up so that the user can approve the install.

    If the user chose to explicitly unsubscribe from windows update, yet Microsoft forced an update to the machine, then it could break something and that would be illegal tampering.

    To answer your question with an analogy, if you turn on your water taps / faucets in your house you receive "modified" water. The government has modified your water supply by providing filtered, clean water with some added chemicals (Flourine). If you disprove of this, you can easily filter your own muddy water and the government can't force you to use their clean water.

    So if your computer is infected with a muddy virus, someone else can't force you to clean it.

    Now the other side of the coin - If you are propagating a virus, you're effectively breaking the law without knowing it. You're allowing your computer to be an intermediary for computer fraud on others by letting a virus propagate. If your contract with your ISP says that "If you are propagating viruses we may automatically clean your machine or kick you off the network" then they have every right to do so.

    A third-party thrown into the mix will be a completely different story and a different side of the law, unless they are cleaning your machine on behalf of your ISP. E.g. If you have no contract with Kaspersky, and Kaspersky forces you to run code, then that is probably not legal in most places, unless they do it on behalf of a contract that you have agreed to with someone else.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.