It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages — it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.
Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:
Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:
|№||Old Hlux||New Hlux|
|1||Blowfish with key1||Blowfish with new key1|
|2||3DES with key2||Decompression with Zlib|
|3||Blowfish with key3||3DES with new key2|
|4||Decompression with Zlib||Blowfish with new key3|
I don’t have a LiveJournal account, but sometimes I’ll have a quick read of the blogs during breaks. On 4 April, however, an official announcement by LiveJournal Russia stated that the service had been subjected to a DDoS and was unavailable.
This massive DDoS attack is the second to target LiveJournal over the last few days. Russia’s online mass media is currently awash with rumors and speculation about the reasons and aims of the attacks.
We don’t know exactly how many botnets took part in the latest attack but we definitely know of one botnet that was involved. It is based on the Optima/Darkness DDoS bot that is currently popular on the Russian-speaking cybercrime black market. Not only are the Trojan programs (bots) themselves on sale, but also infected computer networks that are built with the help of such programs and services offering to carry out DDoS attacks on any given Internet resource.
We have been monitoring one of these Optima botnets for some time now.
Analysis of the data acquired showed that the first DDoS attack on LiveJournal occurred on 24 March. The botnet’s owners gave the command to launch an attack on the blog address of the renowned anti-corruption figure Alexey Navalny: http://navalny.livejournal.com. On 26 March, the bots received commands to attack another resource belonging to Navalny: http://rospil.info, and on 1 April, http://www.rutoplivo.ru, another site with a political slant, was targeted.