Abingdon, UK, 28 March 2012 - In their ongoing assault against botnet operators and cyber-crime, Kaspersky Lab's experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project, have successfully worked together to execute the takedown of the second Hlux (also known as Kelihos) botnet. This botnet was almost triple the size of the first Hlux/Kelihos botnet that was disabled in September 2011. Within just five days of starting the takedown procedure, Kaspersky Lab has neutralised more than 109,000 infected hosts. The first Hlux/Kelihos botnet was estimated at having only 40,000 infected systems.
In January 2012 Kaspersky Lab experts released new research that revealed that despite the original botnet being neutralised and under control, a second Hlux/Kelihos botnet was operating in the wild. Although the second botnet was new, the malware had been built using the same coding as the original Hlux/Kelihos botnet. This malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the second botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.
How the second Hlux/Kelihos Botnet was disabled
During the week commencing 19 March 2012, Kaspersky Lab, the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project launched a sinkholing operation which successfully disabled the botnet. Both Hlux/Kelihos botnets were peer-to-peer (P2P) type botnets, which means every member of the network can act as a server and/or client, as opposed to traditional botnets that rely on a single Command & Control (C&C) server. To neutralise the flexible P2P botnet, the group of security experts created a global network of distributed machines that were installed into the botnet's infrastructure. After a short time, the sinkhole-network increased its "popularity" in the network, which allowed more infected computers to be brought under Kaspersky Lab's control, while preventing the malicious bot-operators from accessing them. As more infected machines were neutralised, the P2P architecture caused the botnet's infrastructure to "sink" since its strength weakened exponentially with each computer it lost control of.
Since the sinkholing operation began on 19 March, the botnet has been inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab's experts can conduct data mining to track the number of infections and their geographical locations. To date Kaspersky Lab has counted 109,000 infected IP addresses. The majority of infected IP addresses were located in Poland.
The First Hlux/Kelihos Botnet
This is not the first time Kaspersky Lab has encountered versions of the Hlux/Kelihos botnet. In September 2011, Kaspersky Lab worked with Microsoft's Digital Crimes Unit, SurfNet and Kyrus Tech, Inc., to successfully disable the original Hlux/Kelihos botnet. At that time Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.
For a complete analysis of the second Hlux/Kelihos operation please visit the latest post on Securelist.
For common questions about P2P botnets, sinkholing and the Hlux/Kelihos takedowns, please see our FAQ sheet.
Kaspersky Lab would like to thank the CrowdStrike Intelligence Team, Dell SecureWorks and the Honeynet Project for its support in the operation.
Kaspersky Lab Newsroom
Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/en), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media's most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.
About Kaspersky Lab
Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world's top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry's fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.securelist.com.
Follow us on Twitter
Like us on Facebook
Telephone: 0118 909 0909
Fax: 0118 988 6911
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Telephone: 0871 789 1633
Milton Business Park
OX14 4RY, Oxford
© 2012 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.