Botnets are particularly
insidious, using thousands of virus-infected computers which their
owners are unaware are being used for sending out spam, launching
denial-of-service attacks and stealing data. But taking down a botnet
poses challenges. The main problem is that legitimate security companies
can’t use the same type of weapons as criminals.
A group of malware experts from
security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the
Honeynet Project, have worked together to disable the second version of
the Kelihos botnet, which is significantly bigger than the one shut down
by Microsoft and its partners.
Kelihos is used to send spam, carry out DDoS attacks, and steal online currency such as bitcoin wallets. It operates as a so-called "peer-to-peer" bot network, which are more difficult to take down than those with a centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at CrowdStrike.
Seculert reports that Kelihos-B,
which was distributed as a Facebook worm over recent weeks, is still
active and spreading - even after the shutdown attempt by CrowdStrike
and Kaspersky Labs this week. The peer-to-peer Kelihos botnet, also
known as Hlux, was sucked into a 'sinkhole' by a small group of security
experts from Kaspersky Lab, Dell SecureWorks, CrowdStrike Intelligence
Team and the Honeynet Project.
It's unclear who is behind
Kelihos, he said. It was created last October after Microsoft used a
sinkhole to halt the original Kelihos botnet, which had infected about
41,000 computers. The latest Kelihos used servers with hosts registered
in Sweden, Russia and Ukraine that were controlled by a botmaster,
according to CrowdStrike.
The machines are still infected,
and the researchers are relying on ISPs to inform affected users. What
is to say this botnet won’t just morph itself again? “That is a possibility,” said Crowdstrike’s Mr. Meyers. “But when that happens, we’ll be there to take it back down.”