Kelihos Botnet Thrives, Despite Takedowns

  /     /     /  
Publicated : 22/11/2024   Category : security


Kelihos Botnet Thrives, Despite Takedowns


Fast flux infrastructure and Windows XP infections continue to keep the botnet alive.



Is the Kelihos botnet going bust?
Kaspersky Lab
published research
Tuesday that showed its sinkholing of one version of the Kelihos (a.k.a. Hlux) botnet 19 months ago with CrowdStrike, the Honeynet Project, and Dell SecureWorks -- as well as subsequent eradication efforts -- have led to a sharp decline in related botnet activity.
What we see now is what we expected, Kaspersky Lab security researcher Stefan Ortloff wrote in a blog post. The botnet is getting smaller and smaller -- victims have been disinfecting or reinstalling their PCs over time. At the moment were counting about 1,000 unique bots on average per month, versus about 116,000 a year ago.
Ortloff said the vast majority of the botnet today is composed of malware-infected systems running
Windows XP
(86 percent), followed by Windows 7 (7 percent) and Windows Server 2008 R2 (4 percent). Forty-four percent of infected clients are in Poland.
[ Protect your servers without breaking the bank. See
Dont Be A Hackers Puppet
. ]
But the Kaspersky Lab report triggered a
sharp retort
from Hendrik Rick Adrian of the white hat security research firm MalwareMustDie. He reported that, as of Wednesday, he was seeing 1,231 Kelihos infections coming just from Poland, placing it well behind the Ukraine (52,825), Russia (18,158), Japan (9,823), and India (6,037), among other countries. In total, Adrian -- part of the ongoing Op Kelihos takedown effort -- said he was seeing at least 100,848 active Kelihos infections as of Wednesday.
Have reports of the botnets demise been exaggerated? Kaspersky Labs Global Research and Analysis Team told us via email that the blog post referenced only a single version of Kelihos. The blog post is a status update on the sinkholing operation we did with our partners in March 2012. We dont have any data or information which botnet in detail MalwareMustDie is referring to, the team wrote. There are and were several versions of Hlux/Kelihos, some were sinkholed, but others may still be active.
Dave Dittrich, a SANS instructor and security researcher at the University of Washington, told us via email that the decline of the Kelihos strain that Kaspersky Lab helped sinkhole looks legit. Kaspersky is watching a set of bots that were abandoned, and living for a year and a half is just about what I would have expected, having watched another similarly abandoned botnet (named Nugache) in 2008
slowly die out
over about a 1.5 year period.
But other versions of Kelihos continue to circulate, he said, thanks in part to pay per install (a.k.a. malware-as-a-service) providers wielding malware such as Conficker, Fifesock, RedKit, and Virut.
According to Adrian, Kelihos eradication remains difficult because infected PCs can spread the infection to other PCs (peers) with which they connect, beyond the threat of users simply coming into contact with a Kelihos loader that would infect the system for the first time. Each [of the] peers has more than 10+ payloads to spread, [and a] smaller number of payloads exists in the loader part.
Kelihos also continues to spread thanks to the botnet automatically creating command-and-control (CnC) domains, he said, as well as through
fast flux
techniques that hide the botnets infrastructure behind multiple layers of proxies. From Aug. 6 through Nov. 12, the botnet had generated at least 800 domains via the Russian domain name registrar RegTime.net, including one that was registered Tuesday.
The above growth is still happening, even now we keep on suspending, sinkholing new domains [that are] used for spreading [the] payload -- which [is] encrypted in their job servers to [the] CnC layer to be sent to [peers] for infection upgrades, he said. The effort of current [suppression] is not related [to] the previous shutdown. Rather, the current level of infections results from security researchers coordinating their efforts to continue researching how the botnet operates and sinkholing all related domains.
Whos behind these Kelihos infections? Thats not clear, but a significant portion of the attack infrastructure traces to Russia. Last week, a Pastebin post from MalwareMustDie detailed a relationship between domains being used to serve Kelihos payloads and the RedKit exploit kit. A series of RedKit infections have included a JavaScript injection script that points the infected PC to a site based in Russia that uses the same infrastructure as the Kelihos botnet, according to MalwareMustDie.
This year, attackers -- who might not be part of the Kelihos gang -- loaded the RedKit crimeware pack on to
hacked NBC websites
and launched driveby attacks exploiting known Java and Adobe Reader vulnerabilities against all site visitors. The exploit pack then installed Citadel financial malware on to vulnerable PCs.
Advanced persistent threats are evolving in motivation, malice, and sophistication. Are you ready to stop the madness? Also in the new, all-digital
The Changing Face Of APTs
issue of Dark Reading: Governments arent the only victims of targeted intelligence gathering. Enterprises need to be on guard, too (free registration required).

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Kelihos Botnet Thrives, Despite Takedowns