Botnets are particularly insidious, using thousands of virus-infected computers which their owners are unaware are being used for sending out spam, launching denial-of-service attacks and stealing data.But taking down a botnet poses challenges. The main problem is that legitimate security companies can't use the same type of weapons as criminals.
A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners.
Kelihos is used to send spam, carry out DDoS attacks, and steal online currency such as bitcoin wallets. It operates as a so-called "peer-to-peer" bot network, which are more difficult to take down than those with a centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at CrowdStrike.
Seculert reports that Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading - even after the shutdown attempt by CrowdStrike and Kaspersky Labs this week. The peer-to-peer Kelihos botnet, also known as Hlux, was sucked into a 'sinkhole' by a small group of security experts from Kaspersky Lab, Dell SecureWorks, CrowdStrike Intelligence Team and the Honeynet Project.
It's unclear who is behind Kelihos, he said. It was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers.The latest Kelihos used servers with hosts registered in Sweden, Russia and Ukraine that were controlled by a botmaster, according to CrowdStrike.
The machines are still infected, and the researchers are relying on ISPs to inform affected users. What is to say this botnet won't just morph itself again? "That is a possibility," said Crowdstrike's Mr. Meyers. "But when that happens, we'll be there to take it back down."