Kelihos Botnet Resurfaces

UPDATE–The Kelihos botnet, which researchers at Kaspersky Lab and Microsoft disrupted last fall by sinkholing the control channel, has sprung back to life and is using only slightly different versions of the original malware and controller list. The rejuvenation of the botnet illustrates the difficulty of permanently disabling these networks and the perseverance of the attackers who count on them for their livelihood.

KelihosUPDATE–The Kelihos botnet, which researchers at Kaspersky Lab and Microsoft disrupted last fall by sinkholing the control channel, has sprung back to life and is using only slightly different versions of the original malware and controller list. The rejuvenation of the botnet illustrates the difficulty of permanently disabling these networks and the perseverance of the attackers who count on them for their livelihood.

In late September, researchers from Kaspersky and Microsoft worked together on a coordinated takedown of the Kelihos botnet, which involved a common technique known as sinkholing. This tactic involves researchers directing the bots on infected computers to contact a server that they control, rather than one controlled by the attackers. In the case of Kelihos, which is a peer-to-peer botnet, Kaspersky researchers pushed out a new peer address, which the existing infected PCs began connecting to in order to ask for new instructions. That enabled the researchers to control the botnet.

“Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing – bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore,” Tillmann Werner, a Kaspersky Lab researcher who helped coordinate the takedown, wrote in a detailed analysis of the action.

At the time of the takedown, Werner said that the sinkholing of Kelihos was not a permanent answer because the peers in the network would eventually begin communicating with other controllers and the sinkhole peer would lose its dominant position. The real solution would have been to push an update to the infected machines that removed the infection or disabled the bot, but there are legal and ethical obstacles to that course of action.

So what’s happened since that takedown in September is pretty much what Werner predicted. The Kelihos network has reformed and is back in action, in only slightly modified form. The encryption routine that the malware uses is a bit different from the old version, shuffling around the spots in which Blowfish and Triple-DES keys are used. The signing keys for certain components of the malware also changed.

“As you can see, two different RSA keys are used within a tree which makes us think that probably two different groups are in possession of each key and are currently controlling the botnet. As for the tree structure, all the fields and their meanings remained the same.The most significant change is that the hashing algorithm for the fields’ names is no longer used. Instead, each field now corresponds to 1-2 character name,” Maria Garnaeva, a Kaspersky Lab analyst, wrote in a new analysis of the reformed Kelihos botnet.

The new version of Kelihos seems to have appeared within a couple of days of the botnet takedown in late September, and the attackers behind it are continuing to use it for spam runs. Last week, Microsoft added a Russian man named Andrey Sabelnikov to its civil complaint against the Kelihos botmasters.

Microsoft officials said in a statement that they’re not ready to say yet whether Kelihos has reformed or whether this is perhaps a new botnet altogether.

“Given that Kaspersky’s role in the Kelihos botnet takedown was the sinkholing of the botnet (as has been described by Kaspersky researchers previously), Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available.  It is worth noting that this report is similar to questions raised last year about whether the Waledac botnet was resurrected, when in fact the malware in question was actually part of the newly created Kelihos botnet. The Kelihos botnet was seemingly based on updated Waledac code, but was an entirely new botnet.  We will not speculate that this is the case here until we have more information to share.  Microsoft, as ever, remains committed to following our botnet cases wherever they lead us and to holding those responsible accountable for their actions,” Richard Boscovich, senior attorney, Microsoft Digital Crimes Unit, said.

Suggested articles