Kelihos Botnet Detection and Threat Analysis
On Wednesday, March 21, 2012, Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project initiated efforts to disrupt the operations of the Waledac/Kelihos (aka Hlux) botnet. This botnet is similar in structure to the Storm Worm DDoS attack, however it generally sends spam email, harvests email addresses and credentials, and steals Bitcoin wallets.
If you are concerned about botnet protection, The Dell SecureWorks Counter Threat Unit (CTU) has published a detailed analysis based on the botnet detection and description of the network takeover. This article provides a simple overview of the Kelihos botnet threat.
Waledac/Kelihos Botnet Protection & Detection Statistics
Key Detection Findings from the botnet protection analysis:
- Waledac/Kelihos botnet is distributed through pay-per-install (PPI) affiliate programs.
- The Kelihos botnet variant currently has low antivirus detection rates. Only Microsoft specifically detects the botnet as Kelihos.B.
- The Waledac/Kelihos botnet is a different variant than the one found during the takeover Kaspersky and Microsoft performed in September, 2011.
- The Kelihos botnet currently consists of 118,000 systems (unique bot IDs).
- Botnet detection illustrated that Poland, United States, and Turkey are the top three countries that have the largest concentration of infected systems.
Botnet Detection: Kelihos.C, the Next Attack Wave
Update as of Friday, March 30, 2012: The week after this sinkhole operation began, the botnet operators abandoned Kelihos.B. At the same time, the controllers purchased new malware installations via PPI affiliate programs, and set up a new botnet now known as Waledac/Kelihos.C (which is nearly identical to the previous botnet with only a few changes). These actions indicate that the criminals are well-funded and determined to maintain and protect the botnet. However, their modifications such as changing the encryption means there is no mechanism for the botnet controllers to regain control of the Kelihos.B botnet. In addition, the worm known as Fifesock that has been used to drop Kelihos.B does not have the ability to update or install new Kelihos botnet binaries. In other words, the computers infected with Kelihos.B are no longer able to communicate with Kelihos.C bots nor the command and control (C2) infrastructure, and furthermore, cannot be reinfected through an existing Fifesock worm infection.