Q: What is the Hlux/Kelihos botnet?
A: Kelihos is Microsoft's name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers.
Q: What is a peer-to-peer botnet?
A: Unlike a classic botnet, a peer-to-peer botnet doesn't use a centralized command and control-server (C&C). Every member of the network can act as a server and/or client. The advantages from the malicious user’s point of view is the omission of the central C&C as a single-point-of-failure. From our point of view, this makes it a lot harder to take down this kind of botnet.
Architecture of traditional botnet vs P2P:
Q: When was Hlux/Kelihos first seen in the wild?
A: Back in December 2010, the first version was seen in the wild. Our first blog post about Hlux was in January 2011. The first known blog entry was released by ShadowServer in December 2010. The new version appeared just after our first sinkhole operating in September 2011.
Q: What are the differences between the old and the new Hlux/Kelihos malware?
A: The older version was used to distribute spam and had the ability to conduct distributed denial-of-service (DDoS) attacks. With this new version, we have discovered that:
Q: Was the “new Hlux/Kelihos”-botnet rebuilt upon the “old” botnet, which was taken down in September last year?
A: Yes, the malware was built using the same coding as the original Hlux/Kelihos botnet. The new malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.
It’s important to note that the Hlux botnet we previously disabled is still under control and the infected machines are not receiving commands.
How the creators of the malware managed to build the new botnet in that short time cannot be answered with certainty. Bot herders typically use malicious pay-per-install-services to rebuild botnets.
Q: What does sinkholing mean?
A: In this case, it means actions that lead to a high popularity of a special peer inside the peer-to-peer network. This special peer is under our control and provides connecting bots with special crafted job-lists in order to make them uncontrollable by the original malicious bot-herder.
Q: How many bots exist in the old and new Hlux/Kelihos-botnets?
A: By design, the size of a peer-to-peer botnet can only be estimated. For the old Hlux botnet, we took down in September 2010, we estimated about 40000 different IP adresses. For the new botnet we estimate about 110,000 IP addresses.
Q: In which countries you see the biggest number of Hlux/Kelihos infections?
A: For the old version of Hlux we saw the most connections hitting our sinkhole from Thailand, Vietnam, India and Korea.
For the new version we see this distribution:
Q: Who was involved in the recent take-down (March 2012)?
A: Kaspersky Lab partnered with research teams at CrowdStrike, the HoneyNet Project and Dell SecureWorks on this operation.
Q: What can users do if their system is infected with malware from the botnet?
A: Although the first two Kelihos/Hlux botnets have being disabled, many computers are still infected with malware. Please visit http://support.kaspersky.com/viruses/utility for free tools that Kaspersky Lab offers to clean your computer.
For additional resources and to learn how to keep your computer secure please refer to http://support.kaspersky.com/viruses.
Until the botnet gangs are permanently brought down, new botnets with updated malware will continue to emerge and infect computers.
Q: The bots of both botnets are now sinkholed to machines of your control. What now?
A: This is actually the main question we asked in the first take-down back in September 2011. Obviously we cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that over time, the number of machines hitting our sinkhole will slowly decrease as computers get cleaned and reinstalled.
Apart from this, there is one other theoretical option to ultimately get rid of Hlux: We know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries.
The only permanent solution is advocating to politicians for more international legislation and laws to be passed for more involvement between cyber security professionals and federal law-enforcement agencies. Sinkholing is a temporary solution but finding the groups behind the botnets and allowing law enforcement to apprehend them is the only permanent solution to the problem. New regulations will give more jurisdiction to execute the following countermeasures:
2012 Mar 30, 12:10
Great Work! .. Could you please share the sample for research purpose
2012 Apr 04, 23:53
Bots : Windows Back Door Code
You might like to know the Windows back-door code. It got to me indirectly through an extremely drunk Microsoft senior executive - in vino veritas, or in wino weritas, as the case may be. If my memory serves me right, it is all the twos, or two repeater, 2. Just possibly my memory is slightly mistaken and it is all the threes, or three repeater, 3. I don't think my memory is mistaken , but anyway I am sure it is one of the two.
2012 Jul 20, 19:57
It it within the law to have the bots "update" with invalid code that would just make them crash and not execute? Its not removing them , just rendering them inert.