Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dell Examines Aftermath of Waledac/ Kelihos Botnet Takedown

Dell SecureWorks recently published a report on the Waledac / Kelihos botnet and its role in a recent takedown operation. Unfortunately, while the initial efforts were successful, the controllers of the botnet have moved on and resumed operations.

Dell SecureWorks recently published a report on the Waledac / Kelihos botnet and its role in a recent takedown operation. Unfortunately, while the initial efforts were successful, the controllers of the botnet have moved on and resumed operations.

On March 21, 2012, Dell SecureWorks, along with Kaspersky Lab, CrowdStrike, and the Honeynet Project teamed-up in order to disrupt the operations of the Waledac / Kelihos botnet (a.k.a Hlux in some circles).

According to collected research, this botnet is responsible for a large amount of the world’s spam, but it also harvests email addresses and credentials, and has the ability to steal Bitcoin wallets. Those controlling the botnet also have an additional incentive, one that is financially rewarding, as the Waledac payloads are distributed through PPI programs, which pay per installation. Thus, the more victims, the more money there is to be earned.

Waledac was targeted for takedown last September, but this time the team of security giants were focused on a completely separate variant, with about 118,000 endpoints. While this doesn’t seem like much, these numbers still equate to millions of spam messages, and far too many opportunities to spread the bots influence after establishing itself in the U.S., Poland, and Turkey. As such, Dell and the others decided it had to go.

The takedown operation was a success, but it was short lived. One week after the Kelihos.B was forced to halt operations, its controllers developed a third variant (Kelihos.C) and resumed operations. This new version is similar to its predecessor in functionality and low anti-virus detection rates, but the changes made during its creation have forced the controllers into moving backwards when it comes to their installation base.

“These actions indicate that the criminals are well-funded and determined to maintain a botnet. However, their modifications such as changing the encryption means there is no mechanism for the botnet controllers to regain control of the Kelihos.B botnet. In addition, the worm known as Fifesock that has been used to drop Kelihos.B does not have the ability to update or install new Kelihos binaries,” wrote Dell SecureWorks’ Brett Stone-Gross.

In other words, the blog post continues, computers infected with Kelihos.B are no longer able to communicate with neither Kelihos.C bots nor the command and control (C&C) infrastructure. Moreover, previously infected systems cannot be re-infected through an existing Fifesock worm infection.

A report on the takedown and birth of a third version of Waledac is available here.

Related: How a Security Industry Collective Shattered The Latest Hlux/Kelihos Botnet

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.