Skip the navigation

Researchers smash Kelihos botnet with dose of its own poison

Botnet's peer-to-peer command structure 'backfired,' says take-down participant

March 29, 2012 01:53 PM ET

Computerworld - Security researchers from four different organizations last week brought down a botnet by turning a supposed strength of the criminals' spamming network into a fatal weakness.

Experts from CrowdStrike, Dell SecureWorks, the Honeynet Project and Kaspersky Lab crippled the second-coming of the Kelihos botnet on March 21 by "sinkholing" about 118,000 bot-infected computers using the hackers' own peer-to-peer network.

"Sinkholing" refers to the practice of legitimate researchers usurping control of a botnet by instructing the compromised machines to connect to alternate servers for instructions. If done correctly and thoroughly, the hackers lose contact with their bots and cannot reestablish communications.

After crawling the Kelihos peer-to-peer network and decrypting the communications between machines, the researchers introduced bogus nodes into the network that carried a "poisoned" peer list, which tells an infected PC where to look for instructions that are handed down by the criminals.

Once introduced, the poisoned peer list rapidly spread through the entire Kelihos botnet, as each infected PC received the researchers' contact list from a neighbor, then passed it on to other machines. Once duped, the infected computers were told to await orders from new top-tier controlling servers, systems under the command of the researchers.

"The peer list propagated very, very quickly," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks, and one of those who collaborated on the Kelihos take-down.

"We took over the botnet network in a matter of minutes," Stone-Gross added, referring to the March 21 action.

That was so fast that the botnet's controllers had no time to react before the poisoned list had spread throughout Kelihos.

The tactic of turning a peer-to-peer network against itself isn't new -- Microsoft used it against the first-generation Kelihos in September 2011 when it hammered that botnet -- but in this month's strike, it was especially effective.

"This botnet was very well connected through peer-to-peer," said Stone-Gross, citing that supposed strength as the reason why the poisoned peer list propagated so rapidly. "A peer-to-peer network assumes an intrinsic level of trust, and in some cases that makes it very easy for an adversary to introduce fake nodes."

Botnet owners use a peer-to-peer command-and-control (C&C) structure as an alternative to a top-down C&C approach, where each bot looks to a few servers for orders. But that infrastructure can be subverted if researchers can seize the C&C servers, essentially beheading the botnet.

Seems that peer-to-peer isn't any smarter for cyber criminals.

The hackers likely built such an efficient peer-to-peer network -- according to Stone-Gross, each infected PC maintained a list of up to 250 other infected PCs to use for communicating with controllers -- in order to quickly issue orders and even updates.

Our Commenting Policies