Researchers smash Kelihos botnet with dose of its own poison

Botnet's peer-to-peer command structure 'backfired,' says take-down participant

Security researchers from four different organizations last week brought down a botnet by turning a supposed strength of the criminals' spamming network into a fatal weakness.

Experts from CrowdStrike, Dell SecureWorks, the Honeynet Project and Kaspersky Lab crippled the second-coming of the Kelihos botnet on March 21 by "sinkholing" about 118,000 bot-infected computers using the hackers' own peer-to-peer network.

"Sinkholing" refers to the practice of legitimate researchers usurping control of a botnet by instructing the compromised machines to connect to alternate servers for instructions. If done correctly and thoroughly, the hackers lose contact with their bots and cannot reestablish communications.

After crawling the Kelihos peer-to-peer network and decrypting the communications between machines, the researchers introduced bogus nodes into the network that carried a "poisoned" peer list, which tells an infected PC where to look for instructions that are handed down by the criminals.

Once introduced, the poisoned peer list rapidly spread through the entire Kelihos botnet, as each infected PC received the researchers' contact list from a neighbor, then passed it on to other machines. Once duped, the infected computers were told to await orders from new top-tier controlling servers, systems under the command of the researchers.

"The peer list propagated very, very quickly," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks, and one of those who collaborated on the Kelihos take-down.

"We took over the botnet network in a matter of minutes," Stone-Gross added, referring to the March 21 action.

That was so fast that the botnet's controllers had no time to react before the poisoned list had spread throughout Kelihos.

The tactic of turning a peer-to-peer network against itself isn't new -- Microsoft used it against the first-generation Kelihos in September 2011 when it hammered that botnet -- but in this month's strike, it was especially effective.

"This botnet was very well connected through peer-to-peer," said Stone-Gross, citing that supposed strength as the reason why the poisoned peer list propagated so rapidly. "A peer-to-peer network assumes an intrinsic level of trust, and in some cases that makes it very easy for an adversary to introduce fake nodes."

Botnet owners use a peer-to-peer command-and-control (C&C) structure as an alternative to a top-down C&C approach, where each bot looks to a few servers for orders. But that infrastructure can be subverted if researchers can seize the C&C servers, essentially beheading the botnet.

Seems that peer-to-peer isn't any smarter for cyber criminals.

The hackers likely built such an efficient peer-to-peer network -- according to Stone-Gross, each infected PC maintained a list of up to 250 other infected PCs to use for communicating with controllers -- in order to quickly issue orders and even updates.

But it was that same efficiency that let researchers quickly subvert the botnet.

Although the hackers have abandoned the 100,000+ PCs that Stone-Gross and his colleagues have sinkholed, they have not gone away.

Israeli security firm Seculert said today that the Kelihos makers have been using malware spread through Facebook to build up their botnet, and continued to do so even after last week's sinkholing.

Stones-Gross, meanwhile, said there was evidence that those behind Kelihos had turned to pay-per-install affiliates -- who are rewarded for each machine they infect -- to compromise new machines that could then be loaded with the bot.

The criminals have bounced back before: Although the botnet Microsoft and others disabled last year is still incommunicado, the same hackers returned to the Internet earlier this year with a variant of the malware that infected even more PCs.

It was that second-generation Kelihos botnet that CrowdStrike, SecureWorks and others took offline last week.

Stone-Gross maintained that the take-down had been a success no matter how the hackers reacted in the future.

"The overall effectiveness of a peer-to-peer [infrastructure] has been overestimated," said Stone-Gross. "There's a lot of complexity involved [in any take-down], but in the end, they're putting a lot of trust in each node. And it backfired on them."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon