How Kaspersky Lab and CrowdStrike Dismantled the Second Hlux/Kelihos Botnet: Success Story
In their ongoing assault against botnet operators and cyber-crime, Kaspersky Lab’s experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, have successfully worked together to execute the takedown of the second Hlux (also known as Kelihos) botnet
In their ongoing assault against botnet operators and cyber-crime, Kaspersky Lab’s experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, have successfully worked together to execute the takedown of the second Hlux (also known as Kelihos) botnet. This botnet was almost triple the size of the first Hlux/Kelihos botnet that was disabled in September 2011. After only 5 days of starting the takedown procedure, Kaspersky Lab has neutralized more than 109,000 infected systems. The first Hlux/Kelihos botnet was estimated at having only 40,000 infected systems.
The First Hlux/Kelihos Botnet
This is not the first time Kaspersky Lab has encountered versions of the Hlux/Kelihos botnet. In September 2011, Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNet and Kyrus Tech, Inc., to successfully disable the original Hlux/Kelihos botnet. During that time Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the Command & Control server (C&C).
Despite the original botnet being neutralized and under control, Kaspersky Lab experts released new research in January 2012 that revealed a second Hlux/Kelihos botnet that was operating in the wild. Although the botnet was new, the malware was built using the same coding as the original Hlux/Kelihos botnet. The new malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.
How the Second Hlux/Kelihos Botnet was Disabled
During the week of March 19, 2012, Kaspersky Lab, the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project launched a sinkholing operation which successfully disabled the botnet. Both Hlux/Kelihos botnets were peer-to-peer (P2P) type botnets, which means every member of the network can act as a server and/or client, as opposed to traditional botnets that rely on a single C&C server. To neutralize the flexible P2P botnet, the group of security experts created a global network of distributed machines that were installed into the botnet’s infrastructure. After a short time, the sinkhole-network increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control while preventing the malicious bot-operators from accessing them. As more infected machines are neutralized, the P2P architecture caused the botnet’s infrastructure to “sink,” since its strength weakens exponentially with the more computers it loses control of.
Since the sinkholing operation began on March 19, the botnet has been inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts can conduct data mining to track the number infections and their geographical locations.
To date Kaspersky Lab has counted 109,000 infected systems. The majority of IP addresses were located in Poland.
For a complete analysis of the operation please visit the latest post on Securelist.
For common questions about P2P botnets, sinkholing and the Hlux/Kelihos takedowns, please see our FAQ sheet.
Kaspersky Lab would like to thank the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project for its support in the operation.
How Kaspersky Lab and CrowdStrike Dismantled the Second Hlux/Kelihos Botnet: Success Story
Kaspersky
Related Articles Virus News
Turkey, Russia, Southeast Asia and Latin America hit by Android threats, Kaspersky identifies
Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication (2FA) and screen recording, jeopardizing user privacy and security.Read More >Targeted ransomware groups have grown in numbers and sophistication, say Kaspersky experts
An in-depth research by Kaspersky experts shows a surge in the number of targeted ransomware groups globally by 30% from 2022 to 2023. In parallel to this increase, the number of victims of targeted ransomware attacks spiked by 70% within the same time period. These insights were shared at Kaspersky’s ninth annual Cyber Security Weekend – META, which took place in Kuala Lumpur.Read More >‘Coyote’ ugly: Kaspersky unveils banking trojan targeting over 60 institutions
A new sophisticated banking Trojan that steals sensitive financial information and introduces advanced tactics to avoid detection has been discovered by Kaspersky's Global Research and Analysis Team (GReAT). Dubbed 'Coyote,' this malware relies on the Squirrel installer for distribution, its name drawing inspiration from coyotes, the natural predators of squirrels.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.