Kelihos botnet taken down live on stage

Botnet expert Tillmann Werner at the RSA Conference in San Francisco

Tillmann Werner from Crowdstrike killed the Kelihos botnet in front of his audience during a presentation at the RSA Conference. The malware network, which is now in its third generation, sends out the usual Viagra spam, steals Bitcoin wallets and harvests users' login data. Werner says that the same gang that operates Kelihos was previously also behind the Waledac and Storm botnets.

The researcher infiltrated the community of zombie clients with a PC that could use the bots' legitimate communication protocol to communicate with the infected computers. The PC then used this channel within the malware's peer-to-peer network to distribute a list of 500 IP addresses of supposed neighbouring nodes within the botnet. The bots can't store more than 500 addresses locally and use these lists to inform each other of the network pathways to the command & control servers that send out work instructions to the bots.

In Tillmann Werner's "attack" scenario, the 500 entries all pointed to the same destination: a sinkhole server that is operated by Werner and other experts such as those working for the Shadowserver Foundation, a project that specialises in fighting malware networks.

When analysing the malware network's communication protocol, Werner discovered that this portion of the data exchange is not digitally signed, which makes it vulnerable to forged messages. In addition, Werner said that the bots' duplicate check that is supposed to filter out duplicate IP addresses can be bypassed because it has a weakness: the creators of the malware allowed four bytes for determining the TCP port, but two bytes would be sufficient. This enabled the researchers to use the higher two bytes to generate superficially different port entries for the same IP addresses on the list. Effectively, however, the entries all pointed to port 80, which is used for data exchanges within the botnet.

Audience members were able to witness the gradual death of the botnet live on a world map. The picture shows the situation around three minutes after the start of the take-down

Once the infected PCs had been in contact with the sinkhole, the server provided them with nonsensical work instructions that would keep the bots busy while being harmless. Together with the 500 IP addresses, the researchers also transmitted new blacklist entries to the zombie PCs. The new entries referred to the six currently known command & control proxy servers of the Kelihos network. This meant that the botnet operators couldn't send new configurations to the infected PCs.

Tillmann Werner says that he consulted international agencies such as the FBI about his plans and that he also took legal advice. The researchers plan to provide the authorities and the Shadowserver Foundation with the IP addresses of the infected servers that connected to the sinkhole as soon as possible to ensure that victims' ISPs can be notified.

How long this blow will keep the botmasters from pursuing their criminal activities is an entirely different question: when the previous version, Kelihos.b, was taken down, Werner said that it only took 20 minutes before the now disabled successor, Kelihos.c, had grown to 40,000 zombie PCs. The researcher plans to announce the size of Kelihos.c at the time it was taken down in a blog post over the next few days.

Werner is no stranger in the security scene: together with other researchers, he has also identified similar vulnerabilities in infrastructures such as that of the Storm worm.

(Uli Ries / fab)