Categories: SecurityWorkspace

Kelihos II Crippled by Kaspersky and Co

The second Kelihos botnet has been wrested from the arms of cyber criminals, releasing over 110,000 computers from the malicious network operator’s grasp.

The botnet, which used similar code to the first, smaller Kelihos network that was taken out last year, was “sinkholed” in a collaborative effort involving Kaspersky, Dell Secureworks, members of the Honeynet Project and start-up firm CrowdStrike Intelligence Team.

The sinkholing operation saw the security vendors communicate with infected machines and had them send data to their servers rather than the six command and control servers run by the Kelihos owners in three different locations. Kelihos 2 was running on a peer-to-peer network, allowing the security companies to talk with other infected machines to take down the botnet, rather than go for the C&C servers themselves.

Abandon ship

The C&C infrastructure has been abandoned by the owners, Kaspersky confirmed today during a press conference. Earlier this month, GFI Software warned Kelihos was still causing carnage and continuing to gain momentum in the wild, yet for now it appears to be down again.

Kelihos 2’s main purpose was to carry out spam campaigns and initiate DDoS attacks. The majority (24.5 percent) of infected machines were in Poland, although 10.8 percent of infections were in the US.

For now, Kaspersky and its collaborators can do little with the infected machines. The company is handing over IP address details to ISPs so they can take action. Data is also being shared with law enforcement, but Kaspersky said it would like to see changes in legislation so it can do more to completely take out botnets.

“We will keep the sinkhole up as long as possible,” said CrowdStrike researcher Tillmann Werner. “Hopefully we will see the number of infected machines decrease over time.”

The Kelihos 2 creators effectively bought victims from other botnet owners, who let malware drop on to machines running on their own malicious networks for a fee. Tilmann told TechWeekEurope it was therefore “possible” the information from the Kelihos 2 sinkholing operation could be used to track other botnet activity.

“It’s very likely the infected machines are infected with something else, but usually you don’t have access to that kind of information,” he added.

The Kelihos 2 gang has been operating since 2007, continuing to create new botnets when one is taken out of action. It is believed they were responsible for the infamous Storm and Waledac botnets. Werner said it was expected the gang would come back with a new malicious network at some point.

The first Kelihos botnet, which controlled around 40,00 machines, was taken down last year. In January, Microsoft said it suspected an ex-antivirus worker from Russia was behind the operation, but later that month the accused, Andrey Sabelnikov, proclaimed his innocence in a blog post.

How much do you know about IT security? Test your knowledge with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

4 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

19 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

22 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

23 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

24 hours ago