Researchers smash Kelihos botnet with dose of its own poison
Botnet's peer-to-peer command structure 'backfired,' says take-down participant
Computerworld - Security researchers from four different organizations last week brought down a botnet by turning a supposed strength of the criminals' spamming network into a fatal weakness.
Experts from CrowdStrike, Dell SecureWorks, the Honeynet Project and Kaspersky Lab crippled the second-coming of the Kelihos botnet on March 21 by "sinkholing" about 118,000 bot-infected computers using the hackers' own peer-to-peer network.
"Sinkholing" refers to the practice of legitimate researchers usurping control of a botnet by instructing the compromised machines to connect to alternate servers for instructions. If done correctly and thoroughly, the hackers lose contact with their bots and cannot reestablish communications.
After crawling the Kelihos peer-to-peer network and decrypting the communications between machines, the researchers introduced bogus nodes into the network that carried a "poisoned" peer list, which tells an infected PC where to look for instructions that are handed down by the criminals.
Once introduced, the poisoned peer list rapidly spread through the entire Kelihos botnet, as each infected PC received the researchers' contact list from a neighbor, then passed it on to other machines. Once duped, the infected computers were told to await orders from new top-tier controlling servers, systems under the command of the researchers.
"The peer list propagated very, very quickly," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks, and one of those who collaborated on the Kelihos take-down.
"We took over the botnet network in a matter of minutes," Stone-Gross added, referring to the March 21 action.
That was so fast that the botnet's controllers had no time to react before the poisoned list had spread throughout Kelihos.
The tactic of turning a peer-to-peer network against itself isn't new -- Microsoft used it against the first-generation Kelihos in September 2011 when it hammered that botnet -- but in this month's strike, it was especially effective.
"This botnet was very well connected through peer-to-peer," said Stone-Gross, citing that supposed strength as the reason why the poisoned peer list propagated so rapidly. "A peer-to-peer network assumes an intrinsic level of trust, and in some cases that makes it very easy for an adversary to introduce fake nodes."
Botnet owners use a peer-to-peer command-and-control (C&C) structure as an alternative to a top-down C&C approach, where each bot looks to a few servers for orders. But that infrastructure can be subverted if researchers can seize the C&C servers, essentially beheading the botnet.
Seems that peer-to-peer isn't any smarter for cyber criminals.
The hackers likely built such an efficient peer-to-peer network -- according to Stone-Gross, each infected PC maintained a list of up to 250 other infected PCs to use for communicating with controllers -- in order to quickly issue orders and even updates.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts