Kaspersky Lab, Kyrus Tech en Microsoft ontmantelen Hlux/Kelihos-botnet

30 sep 2011
Press Releases

In hun voortdurende strijd tegen botnet-exploitanten en hosting bedrijven die de anonieme domeinregistraties mogelijk maken die voor botnets nodig zijn, hebben Kaspersky Lab, Microsoft en Kyrus Tech met succes samengewerkt om het Kelihos-botnet (oorspronkelijk door Kaspersky Hlux genoemd) te ontmantelen. Kelihos bestond uit naar schatting 40.000 computers en werd gebruikt voor de distributie van miljarden spamberichten, het stelen van persoonlijke gegevens, het uitvoeren van DDoS-aanvallen en talloze andere criminele activiteiten. Microsoft heeft ook een civiele zaak aangespannen tegen 24 personen die te maken hebben met de infrastructuur achter het botnet, waardoor het mogelijk is de domains te sluiten die voor het botnet werden gebruikt. Microsoft heeft aan de rechter verklaringen overlegd waaraan Kaspersky Lab heeft bijgedragen. Ook werd een verklaring van Kyrus Tech overlegd, met daarin gedetailleerde informatie en bewijs betreffende het Kelihos-botnet.

Kaspersky Lab has played a pivotal role in taking down the botnet, tracking it since the beginning of 2011, when it started collaborating with Microsoft in tackling Kelihos, including sharing its live botnet tracking system with the US company. Kaspersky Lab has also taken care that the botnet cannot be controlled anymore, and continues to make sure that this is the case. Its specialists reversed-engineered the code used in the bot, cracked the communication protocol, discovered the weaknesses in the peer-to-peer infrastructure, and developed the corresponding tools to counteract it. What's more, since the offending domains used in the botnet have gone offline via court orders Microsoft had secured, Kaspersky Lab has been "sinkholing" the botnet - where one of its computers has gotten inside the botnet's complex internal communications to bring it under its control.

Acknowledging Kaspersky Lab's active involvement in taking down the botnet, Richard Boscovich, senior attorney with the Microsoft Digital Crimes Unit, said: "Kaspersky Lab played a key role in this operation by providing us with unique and in-depth insight based upon their technical analysis and understanding of the Kelihos botnet.

This contributed to both a successful takedown and as evidence for declarations made about the analysis and structure of the botnet. We are grateful for their support in this matter and their determination to make the Internet safer."

Speaking of the continuing role Kaspersky Lab is playing in controlling Kelihos, Tillmann Werner, senior malware analyst of Kaspersky Lab Germany, said: "Since Kaspersky Lab's sinkholing operation began on September 26, the botnet has been inoperable. And since the bots are communicating with our machine now, data mining can be conducted to track infections per country, for example. So far, Kaspersky Lab has counted 61,463 infected IP addresses, and is working with the respective ISPs to inform the network owners about the infections."

Kelihos is a peer-to-peer botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network's dynamic structure. Routers are infected machines with public IP addresses. They run the bot for sending out spam, collecting email addresses, sniffing out user credentials from the network stream, etc.

Microsoft has announced that its Malware Protection Center has added detection for the Kelihos malware to its Malicious Software Removal Tool. Since this tool is well-distributed the number of infections that have already been cleaned up is significant.

Cooperation between Kaspersky Lab and Microsoft has been ongoing now for some time. Notable recent collaboration includes that on the infamous Stuxnet worm, which hacked industrial control systems like those used in Iran's nuclear programs.

Kaspersky Lab would like to thank SURFnet for its support in the operation, and especially for providing the perfect infrastructure to run the sinkhole.