Dell SecureWorks recently published a report on the Waledac / Kelihos botnet and its role in a recent takedown operation. Unfortunately, while the initial efforts were successful, the controllers of the botnet have moved on and resumed operations.
On March 21, 2012, Dell SecureWorks, along with Kaspersky Lab, CrowdStrike, and the Honeynet Project teamed-up in order to disrupt the operations of the Waledac / Kelihos botnet (a.k.a Hlux in some circles).
According to collected research, this botnet is responsible for a large amount of the world’s spam, but it also harvests email addresses and credentials, and has the ability to steal Bitcoin wallets. Those controlling the botnet also have an additional incentive, one that is financially rewarding, as the Waledac payloads are distributed through PPI programs, which pay per installation. Thus, the more victims, the more money there is to be earned.
Waledac was targeted for takedown last September, but this time the team of security giants were focused on a completely separate variant, with about 118,000 endpoints. While this doesn’t seem like much, these numbers still equate to millions of spam messages, and far too many opportunities to spread the bots influence after establishing itself in the U.S., Poland, and Turkey. As such, Dell and the others decided it had to go.
The takedown operation was a success, but it was short lived. One week after the Kelihos.B was forced to halt operations, its controllers developed a third variant (Kelihos.C) and resumed operations. This new version is similar to its predecessor in functionality and low anti-virus detection rates, but the changes made during its creation have forced the controllers into moving backwards when it comes to their installation base.
“These actions indicate that the criminals are well-funded and determined to maintain a botnet. However, their modifications such as changing the encryption means there is no mechanism for the botnet controllers to regain control of the Kelihos.B botnet. In addition, the worm known as Fifesock that has been used to drop Kelihos.B does not have the ability to update or install new Kelihos binaries,” wrote Dell SecureWorks’ Brett Stone-Gross.
In other words, the blog post continues, computers infected with Kelihos.B are no longer able to communicate with neither Kelihos.C bots nor the command and control (C&C) infrastructure. Moreover, previously infected systems cannot be re-infected through an existing Fifesock worm infection.
A report on the takedown and birth of a third version of Waledac is available here.