Researchers from Crowdstrike, Dell SecureWorks, the Honeynet Project and Kaspersky Labs have worked together to take control of the Kelihos botnet.
The original botnet was taken down by a group including Kaspersky and Microsoft in September 2011; the new quartet says Kelihos.B is almost triple the size of the first incarnation. Kaspersky said it had neutralised more than 109,000 infected hosts, while the first Hlux/Kelihos botnet was estimated to have infected 40,000 hosts.
The security vendor also reported that while the second botnet was new, the malware had been built using the same coding as the original botnet – but had some updates, including new infection methods and Bitcoin features for mining and wallet-theft.
Kelihos.B also carried out similar botnet actions in using its network of infected computers to send spam, steal personal data and perform distributed denial-of-service (DDoS) attacks against specific targets.
The companies said they were able to take down the botnet with an operation that began on 19 March, for which they created a global network of distributed machines that were installed into the botnet's infrastructure. This ‘sinkhole' increased its popularity in the network over time and allowed more infected computers to be brought under control, thereby preventing the malicious bot operators from accessing them.
As more infected machines were neutralised, the P2P architecture caused the botnet's infrastructure to ‘sink' as its strength weakened exponentially with each computer it lost control of.
The operation over the past nine days has rendered the botnet inoperable, allowing Kaspersky's staff to conduct data mining to track the number of infections and their geographical locations. They found that the majority of infected IP addresses were located in Poland.