Categories: SecurityWorkspace

Kelihos II Crippled by Kaspersky and Co

The second Kelihos botnet has been wrested from the arms of cyber criminals, releasing over 110,000 computers from the malicious network operator’s grasp.

The botnet, which used similar code to the first, smaller Kelihos network that was taken out last year, was “sinkholed” in a collaborative effort involving Kaspersky, Dell Secureworks, members of the Honeynet Project and start-up firm CrowdStrike Intelligence Team.

The sinkholing operation saw the security vendors communicate with infected machines and had them send data to their servers rather than the six command and control servers run by the Kelihos owners in three different locations. Kelihos 2 was running on a peer-to-peer network, allowing the security companies to talk with other infected machines to take down the botnet, rather than go for the C&C servers themselves.

Abandon ship

The C&C infrastructure has been abandoned by the owners, Kaspersky confirmed today during a press conference. Earlier this month, GFI Software warned Kelihos was still causing carnage and continuing to gain momentum in the wild, yet for now it appears to be down again.

Kelihos 2’s main purpose was to carry out spam campaigns and initiate DDoS attacks. The majority (24.5 percent) of infected machines were in Poland, although 10.8 percent of infections were in the US.

For now, Kaspersky and its collaborators can do little with the infected machines. The company is handing over IP address details to ISPs so they can take action. Data is also being shared with law enforcement, but Kaspersky said it would like to see changes in legislation so it can do more to completely take out botnets.

“We will keep the sinkhole up as long as possible,” said CrowdStrike researcher Tillmann Werner. “Hopefully we will see the number of infected machines decrease over time.”

The Kelihos 2 creators effectively bought victims from other botnet owners, who let malware drop on to machines running on their own malicious networks for a fee. Tilmann told TechWeekEurope it was therefore “possible” the information from the Kelihos 2 sinkholing operation could be used to track other botnet activity.

“It’s very likely the infected machines are infected with something else, but usually you don’t have access to that kind of information,” he added.

The Kelihos 2 gang has been operating since 2007, continuing to create new botnets when one is taken out of action. It is believed they were responsible for the infamous Storm and Waledac botnets. Werner said it was expected the gang would come back with a new malicious network at some point.

The first Kelihos botnet, which controlled around 40,00 machines, was taken down last year. In January, Microsoft said it suspected an ex-antivirus worker from Russia was behind the operation, but later that month the accused, Andrey Sabelnikov, proclaimed his innocence in a blog post.

How much do you know about IT security? Test your knowledge with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago