ZEUS Botnet, Crowdstrike and Kelihos Takedowns
Botnet takedowns are exciting. Researchers explain how they’ve infiltrated the shadowy world of botnets and wrested control away from the unknown botmasters who are intent on controlling our computers for their nefarious purposes. Thanks to their technical expertise, our computers are safe again, at least, until the next infection.
On Mar. 26, Microsoft announced Operation B-71, in which its Digital Crimes Unit worked with industry partners and law enforcement to seize over 100 domains and shut down servers used to control a group of Zeus botnets. Kaspersky Lab followed up three days later with its own shutdown story with Crowdstrike and Dell SecureWorks to take over the Kelihos botnet, which may have had 116,000 machines under its control.
In the days since, it appears that the criminals have resumed operations.
“It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually take down the botnet,” said Gunter Ollmann, vice-president of research at Damballa.
It turns out that as long as the criminals remain at large, botnets don’t actually stay dead for long.
In the case of Kelihos, Microsoft and Kaspersky had already shut down the first version of Kelihos botnet last September. The gang just moved on and started up a new botnet with a slightly modified source code. The latest attempt infiltrated the peer-to-peer network through which the zombies in Hlux.B (Kelihos version 2) received their instructions. Kaspersky’s sinkhole operation was effective, as the gang abandoned the botnet within a few days.
Sinkholing refers to the process of diverting network traffic away from the intended destination. The code instructed a handful of infected machines to connect to and get instructions from a server controlled by the “good guys.” Those bots, in turn, passed on the new instructions to other machines, who then passed it on, until the botmasters no longer had control over the machines.
That didn’t mean the botnet was dead, really, as Seculert researchers observed Kelihos still spreading on Facebook by tricking users into clicking on a malicious photo album link. The gang regrouped fairly quickly after the sinkhole operation and began re-building the botnet. In fact, some of the victims who had been infected with Hlux.B may have been re-infected by the new version.
Kaspersky confirmed that Kelihos was still operating, but insisted it was a new variant. “We confirm that a new Hlux/Kelihos sample exists but it has a different configuration, which means it’s coming from a new Hlux botnet (Hlux C),” said Marco Preuss, Kaspersky’s head of global research and analysis in Germany.
Zeus Still Alive?
Microsoft seized over 100 domains and servers belonging to botnets that were created using the Zeus crimeware kit. The goal was to “disrupt” criminal operations, according to Richard Boscovich, a senior attorney with Microsoft’s Digital Crimes Unit.
Researchers at FireEye Malware Inteligence Lab identified 156 different domains which had been actively used by one of the botnets shut down by Microsoft. Three days after Microsoft announced its shutdown efforts, 147 were under Microsoft control, but three appeared to be active and sending malicious instructions to infected zombies, Atif Mushtaq, head of research at FireEye Malware Intelligence Lab, wrote on the company’s blog. The remaining six showed no malicious activity, according to FireEye.
“One botnet was able to recover partially from the takeover attempt,” Mushtaq wrote. “Without these domains completely destroyed, this botnet can not be officially declared as dead,” he added.
It’s not clear whether FireEye is claiming Microsoft lost control of those three domains, or if Microsoft never seized them. I will update this post once Microsoft and FireEye clarify this point.
Botnet Operators Need to be Arrested
Instead of claiming that these operations shut down botnets, but it would be more precise to claim criminal operations have been disrupted, Ollmann said. That’s pretty much in line with what Boscovich said regarding the Zeus operation.
The fact that criminals are able to release an updated variant and be back up and running pretty quickly “reflects the futility of much of the current takedown effort,” Ollmann said. The only way to stop this cycle of shutting down one botnet, only to have another spring up by the same perpetrators is to take out the criminals at the top, Ollmann said.
To be fair, Kaspersky and Crowdstrike both acknowledge that their technical efforts are just temporary, and that the criminals have to be arrested in order to permanently shutdown botnets. Without new legislation to help law enforcement work with counterparts in other countries to track and apprehend these criminal organizations, these groups will remain at large, Preuss said during the press conference last week.
Just as a final point, though, takedown attempts sometimes do work. All reports show that spam-spewing Rustock remains inactive, more than a year after Microsoft seized the U.S.-based servers controlling the botnet.
More information to be found at :
By Ulrich Seldeslachts
Are you a
leader in Security ? Do you want to share your expertise and join the
Leaders in Security as a Core Expert Member ?
Contact us via email! Or call +184.108.40.206.41 for a direct contact and more information.
An information set and your Membership Welcome Pack awaits you.
Copyright LSEC vzw 2007-2008 with the support of the IWT.
LSEC vzw Kasteelpark 10 - 3001 Heverlee - VAT BE BE 478 045 395 - fax. +220.127.116.11.69 - info @ lsec.be