Researchers smash Kelihos botnet with dose of its own poison
Botnet's peer-to-peer command structure 'backfired,' says take-down participant
Computerworld - Security researchers from four different organizations last week brought down a botnet by turning a supposed strength of the criminals' spamming network into a fatal weakness.
Experts from CrowdStrike, Dell SecureWorks, the Honeynet Project and Kaspersky Lab crippled the second-coming of the Kelihos botnet on March 21 by "sinkholing" about 118,000 bot-infected computers using the hackers' own peer-to-peer network.
"Sinkholing" refers to the practice of legitimate researchers usurping control of a botnet by instructing the compromised machines to connect to alternate servers for instructions. If done correctly and thoroughly, the hackers lose contact with their bots and cannot reestablish communications.
After crawling the Kelihos peer-to-peer network and decrypting the communications between machines, the researchers introduced bogus nodes into the network that carried a "poisoned" peer list, which tells an infected PC where to look for instructions that are handed down by the criminals.
Once introduced, the poisoned peer list rapidly spread through the entire Kelihos botnet, as each infected PC received the researchers' contact list from a neighbor, then passed it on to other machines. Once duped, the infected computers were told to await orders from new top-tier controlling servers, systems under the command of the researchers.
"The peer list propagated very, very quickly," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks, and one of those who collaborated on the Kelihos take-down.
"We took over the botnet network in a matter of minutes," Stone-Gross added, referring to the March 21 action.
That was so fast that the botnet's controllers had no time to react before the poisoned list had spread throughout Kelihos.
The tactic of turning a peer-to-peer network against itself isn't new -- Microsoft used it against the first-generation Kelihos in September 2011 when it hammered that botnet -- but in this month's strike, it was especially effective.
"This botnet was very well connected through peer-to-peer," said Stone-Gross, citing that supposed strength as the reason why the poisoned peer list propagated so rapidly. "A peer-to-peer network assumes an intrinsic level of trust, and in some cases that makes it very easy for an adversary to introduce fake nodes."
Botnet owners use a peer-to-peer command-and-control (C&C) structure as an alternative to a top-down C&C approach, where each bot looks to a few servers for orders. But that infrastructure can be subverted if researchers can seize the C&C servers, essentially beheading the botnet.
Seems that peer-to-peer isn't any smarter for cyber criminals.
The hackers likely built such an efficient peer-to-peer network -- according to Stone-Gross, each infected PC maintained a list of up to 250 other infected PCs to use for communicating with controllers -- in order to quickly issue orders and even updates.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts