Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Dell Examines Aftermath of Waledac/ Kelihos Botnet Takedown

Dell SecureWorks recently published a report on the Waledac / Kelihos botnet and its role in a recent takedown operation. Unfortunately, while the initial efforts were successful, the controllers of the botnet have moved on and resumed operations.

Dell SecureWorks recently published a report on the Waledac / Kelihos botnet and its role in a recent takedown operation. Unfortunately, while the initial efforts were successful, the controllers of the botnet have moved on and resumed operations.

On March 21, 2012, Dell SecureWorks, along with Kaspersky Lab, CrowdStrike, and the Honeynet Project teamed-up in order to disrupt the operations of the Waledac / Kelihos botnet (a.k.a Hlux in some circles).

According to collected research, this botnet is responsible for a large amount of the world’s spam, but it also harvests email addresses and credentials, and has the ability to steal Bitcoin wallets. Those controlling the botnet also have an additional incentive, one that is financially rewarding, as the Waledac payloads are distributed through PPI programs, which pay per installation. Thus, the more victims, the more money there is to be earned.

Waledac was targeted for takedown last September, but this time the team of security giants were focused on a completely separate variant, with about 118,000 endpoints. While this doesn’t seem like much, these numbers still equate to millions of spam messages, and far too many opportunities to spread the bots influence after establishing itself in the U.S., Poland, and Turkey. As such, Dell and the others decided it had to go.

The takedown operation was a success, but it was short lived. One week after the Kelihos.B was forced to halt operations, its controllers developed a third variant (Kelihos.C) and resumed operations. This new version is similar to its predecessor in functionality and low anti-virus detection rates, but the changes made during its creation have forced the controllers into moving backwards when it comes to their installation base.

“These actions indicate that the criminals are well-funded and determined to maintain a botnet. However, their modifications such as changing the encryption means there is no mechanism for the botnet controllers to regain control of the Kelihos.B botnet. In addition, the worm known as Fifesock that has been used to drop Kelihos.B does not have the ability to update or install new Kelihos binaries,” wrote Dell SecureWorks’ Brett Stone-Gross.

In other words, the blog post continues, computers infected with Kelihos.B are no longer able to communicate with neither Kelihos.C bots nor the command and control (C&C) infrastructure. Moreover, previously infected systems cannot be re-infected through an existing Fifesock worm infection.

A report on the takedown and birth of a third version of Waledac is available here.

Advertisement. Scroll to continue reading.

Related: How a Security Industry Collective Shattered The Latest Hlux/Kelihos Botnet

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.