UPDATE: Not too long ago, Microsoft and other security researchers were heralding the fall of the Kelihos botnet. It appears now however that whoever is behind the malware may still be in business.
Botnet shutdowns via sinkholing – where researchers redirect the malicious traffic from each bot to a server under their control – have become a prominent weapon in the fight against spammers. However, while sinkholing as its advantages, evidence that the Kelihos malware has been updated shows the method has its limitations when cyber-criminals stay at large, argued Kaspersky Lab analyst Maria Garnaeva.
According to Kaspersky Lab, new malware samples very similar to the malware used to build the original Kelihos botnet were detected shortly after last fall’s takedown efforts. There were some differences however. For one, the botnet’s malware was detected with a different order of operations for the encryption and packing of messages in the communication protocol. The updated malware also takes a more accurate approach to forming the packets in which every packet (both incoming and outgoing) includes the calculated data checksum in its header. In addition, the encryption keys were changed.
“Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet,” Garnaeva wrote in a blog post. “The controllers list in the new version remained almost the same and slightly changed over time.”
Though the malware appears to be an update of Kelihos, both Kaspersky Lab and Microsoft clarified that the Kelihos botnet itself is not back in action.
“In fact, it is believed that Kelihos itself may have been built based at least in part on code from Waledac, the first botnet Microsoft took down,” blogged Richard Domingues Boscovich, senior attorney for the Microsoft Digital Crimes Unit. “Malware authors often recycle previous versions of malware. The challenge for the ‘good guys’ is to stay on top of such emerging threats and continue to build protections for computer owners and strategies for further cybercrime disruption.”
The news comes a week after Microsoft took the step of publicly naming the man they say is behind the botnet, Andrey N. Sabelnikov of St. Petersburg, Russia. Sabelnikov’s name was added to a civil suit the company filed in an effort to take the botnet down. However, the Russian programmer has denied any involvement.
“I am absolutely not guilty, have never been involved in handling botnets or any other similar programs and what is more have never made any profit from such activity,” he wrote in a blog post. “I want to highlight that I have no connection either to the activity of Kelihos or to the distribution of spam.”
At its peak, the botnet controlled tens of thousands of computers, and is reputed to have sent out nearly 4 billion spam messages on a daily basis. The new botnet is getting orders from spammers and is sending spam in different languages. According to Garnaeva, the controllers list in the new version remains almost the same as the previous version.
The update of the botnet, she added, shows that it is impossible to neutralize a botnet simply by taking over the controller machines or substituting the controller list because if the botmaster is at large and knows the list of active router IPs, the person can connect to them directly and push out the bot update along with the new controllers list, she explained.
“It is still possible,” she continued, “to neutralize the botnet with sinkholing but using slightly different techniques as was used before…We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end.”
UPDATE: This story was updated to include additional information from Microsoft and Kaspersky Lab.
