International security team shoots down second Hlux/Kelihos botnet

Peer-to-peer "poisoning" tactic pays off but over 100,000 victim machines still infected

A team of security experts cooperating globally say they've disabled a large botnet of about 110,000 remotely controlled infected machines dubbed HLux.B/Kelihos.B by interfering in its peer-to-peer connections in a "poisoning" process to sinkhole them, cutting off the botnet's central control point.

Tracking the botnets

Kaspersky Lab, Dell SecureWorks, Crowdstrike Intelligence Team and the Honeynet Project all had a hand in monitoring and disabling the botnet. There's speculation that it was created by the same gang that created the first Hlux/Kelihos bot that was shot down with help from Microsoft's Digital Crimes Unit, with others, last September.

Crowdstrike's senior research scientist Tillmann Werner and Kaspersky Lab's global head of research in Germany, Marco Preuss, discussed how the sinkholing operation against HLux.B proceeded, cautioning that the sinkhole can probably be maintained indefinitely, but that more than 100,000 computers around the world are still infected.

The Hlux.B/Kelihos botnet has been used for spam, denial-of-service attacks and "spying on credentials" on victims' computers, noted Werner. About one quarter of the 110,000 or more infected machines appear to be in Poland, with about 10% in the U.S., and the reminder elsewhere around the world, including Turkey, Spain, India and Argentina.

“The sinkholing was successful,” said Preuss, explaining how Kasperky worked with the team of experts who found a way to interfere in the peer-to-peer control of HLux.B/Kelihos through a “poisoning” process to disable it in a specific way.

This was basically done by pretending to be one of the peers and then providing a peer-to-peer list with instructions to sinkhole the infected machines to a point chosen by the security researchers, thereby wrenching control of the botnet away from the botmaster.

Though the sinkhole is a strong trap for the botnet’s ability to function, it doesn’t necessarily make the botnet go away, Werner pointed out. The owners of the infected machines will need to be informed that their machines are infected, possibly with help from ISPs, and have their machines cleaned up from the botnet code on it.

Most of the infected machines appear to be victims of so-called “pay-per-install” crime in which a third party infects machines worldwide and then sells out the right to manipulate them to botnet masters. There’s speculation that the Russian Andrey Sabelnikov may be behind HLux.B/Kelihos but there’s no proof, and Kaspersky Lab researchers note that information they and others have collected around Hlux.B is being turned over to law enforcement to investigate further.

The researchers also note they fully expect to see more versions of the botnet in the future.

 Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies