How Kaspersky Lab and CrowdStrike Dismantled the Second Hlux/Kelihos Botnet: Success Story

28 Mar
Virus News

In their ongoing assault against botnet operators and cyber-crime, Kaspersky Lab’s experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, have successfully worked together to execute the takedown of the second Hlux (also known as Kelihos) botnet. This botnet was almost triple the size of the first Hlux/Kelihos botnet that was disabled in September 2011. After only 5 days of starting the takedown procedure, Kaspersky Lab has neutralized more than 109,000 infected systems. The first Hlux/Kelihos botnet was estimated at having only 40,000 infected systems.

The First Hlux/Kelihos Botnet

This is not the first time Kaspersky Lab has encountered versions of the Hlux/Kelihos botnet. In September 2011, Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNet and Kyrus Tech, Inc., to successfully disable the original Hlux/Kelihos botnet. During that time Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the Command & Control server (C&C).

Despite the original botnet being neutralized and under control, Kaspersky Lab experts released new research in January 2012 that revealed a second Hlux/Kelihos botnet that was operating in the wild. Although the botnet was new, the malware was built using the same coding as the original Hlux/Kelihos botnet. The new malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.

How the Second Hlux/Kelihos Botnet was Disabled

During the week of March 19, 2012, Kaspersky Lab, the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project launched a sinkholing operation which successfully disabled the botnet. Both Hlux/Kelihos botnets were peer-to-peer (P2P) type botnets, which means every member of the network can act as a server and/or client, as opposed to traditional botnets that rely on a single C&C server. To neutralize the flexible P2P botnet, the group of security experts created a global network of distributed machines that were installed into the botnet’s infrastructure.  After a short time, the sinkhole-network increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control while preventing the malicious bot-operators from accessing them. As more infected machines are neutralized, the P2P architecture caused the botnet’s infrastructure to “sink,” since its strength weakens exponentially with the more computers it loses control of.

Since the sinkholing operation began on March 19, the botnet has been inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts can conduct data mining to track the number infections and their geographical locations.

To date Kaspersky Lab has counted 109,000 infected systems. The majority of IP addresses were located in Poland.

For a complete analysis of the operation please visit the latest post on Securelist.

For common questions about P2P botnets, sinkholing and the Hlux/Kelihos takedowns, please see our FAQ sheet.

Kaspersky Lab would like to thank the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project for its support in the operation.