Not too long ago, Microsoft and other security researchers were heralding the fall of the Kelihos botnet. It appears now however that whoever is behind it is fighting efforts to take it down.
Botnet shutdowns via sinkholing – where researchers redirect the malicious traffic from each bot to a server under their control – have become a prominent weapon in the fight against spammers. However, while sinkholing as its advantages, the persistence of Kelihos shows the method has its limitations when cyber-criminals stay at large, argued Kaspersky Lab analyst Maria Garnaeva.According to Kaspersky Lab, the botnet, also known as Hlux, was updated shortly after last fall’s takedown efforts in a number of ways. For one, the botnet’s malware was detected with a different order of operations for the encryption and packing of messages in the communication protocol. The updated malware also takes a more accurate approach to forming the packets in which every packet (both incoming and outgoing) includes the calculated data checksum in its header. In addition, the encryption keys were changed.
“Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet,” Garnaeva wrote in a blog post. “The controllers list in the new version remained almost the same and slightly changed over time.”
The news comes a week after Microsoft took the step of publicly naming the man they say is behind the botnet, Andrey N. Sabelnikov of St. Petersburg, Russia. Sabelnikov’s name was added to a civil suit the company filed in an effort to take the botnet down. However, the Russian programmer has denied any involvement.
“I am absolutely not guilty, have never been involved in handling botnets or any other similar programs and what is more have never made any profit from such activity,” he wrote in a blog post. “I want to highlight that I have no connection either to the activity of Kelihos or to the distribution of spam.”
At its peak, the botnet controlled tens of thousands of computers, and is reputed to have sent out nearly 4 billion spam messages on a daily basis. The botnet continues to get orders from spammers and to send spam in different languages. According to Garnaeva, the controllers list in the new version remains almost the same as the previous version.
The update of the botnet, she added, shows that it is impossible to neutralize a botnet simply by taking over the controller machines or substituting the controller list because if the botmaster is at large and knows the list of active router IPs, the person can connect to them directly and push out the bot update along with the new controllers list, she explained.
“It is still possible,” she continued, “to neutralize the botnet with sinkhoking but using slightly different techniques as was used before…We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end.”