Kelihos II Crippled by Kaspersky and Co

The second Kelihos botnet has been wrested from the arms of cyber criminals, releasing over 110,000 computers from the malicious network operator’s grasp.

The botnet, which used similar code to the first, smaller Kelihos network that was taken out last year, was “sinkholed” in a collaborative effort involving Kaspersky, Dell Secureworks, members of the Honeynet Project and start-up firm CrowdStrike Intelligence Team.

The sinkholing operation saw the security vendors communicate with infected machines and had them send data to their servers rather than the six command and control servers run by the Kelihos owners in three different locations. Kelihos 2 was running on a peer-to-peer network, allowing the security companies to talk with other infected machines to take down the botnet, rather than go for the C&C servers themselves.

Abandon ship

The C&C infrastructure has been abandoned by the owners, Kaspersky confirmed today during a press conference. Earlier this month, GFI Software warned Kelihos was still causing carnage and continuing to gain momentum in the wild, yet for now it appears to be down again.

Kelihos 2’s main purpose was to carry out spam campaigns and initiate DDoS attacks. The majority (24.5 percent) of infected machines were in Poland, although 10.8 percent of infections were in the US.

For now, Kaspersky and its collaborators can do little with the infected machines. The company is handing over IP address details to ISPs so they can take action. Data is also being shared with law enforcement, but Kaspersky said it would like to see changes in legislation so it can do more to completely take out botnets.

“We will keep the sinkhole up as long as possible,” said CrowdStrike researcher Tillmann Werner. “Hopefully we will see the number of infected machines decrease over time.”

The Kelihos 2 creators effectively bought victims from other botnet owners, who let malware drop on to machines running on their own malicious networks for a fee. Tilmann told TechWeekEurope it was therefore “possible” the information from the Kelihos 2 sinkholing operation could be used to track other botnet activity.

“It’s very likely the infected machines are infected with something else, but usually you don’t have access to that kind of information,” he added.

The Kelihos 2 gang has been operating since 2007, continuing to create new botnets when one is taken out of action. It is believed they were responsible for the infamous Storm and Waledac botnets. Werner said it was expected the gang would come back with a new malicious network at some point.

The first Kelihos botnet, which controlled around 40,00 machines, was taken down last year. In January, Microsoft said it suspected an ex-antivirus worker from Russia was behind the operation, but later that month the accused, Andrey Sabelnikov, proclaimed his innocence in a blog post.

How much do you know about IT security? Test your knowledge with our quiz.