The Inside Story of the Kelihos Takedown

Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."

Re:

[joelleo]

Thankfully you're not Kaspersky Labs. I like the details they've provided.

out of curiosity, why wouldn't you advertise the fact that you, a security team, were involved in the takedown of a security threat?

Re:

[Anonymous Coward]

Because these botnets are run by, or closely work with, organised crime organisations.

If the become a big enough problem and cause enough damage then said organisations will probably have no qualms bringing the fight into meatspace.

Would Kapersky continue doing this if one of their employees was murdered in retaliation?

Re:

[mkiwi]

So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.

Re:

[LordLimecat]

Such a sentiment kind of falls flat on its face when the 2 big corps in question are kind of undeniably the good guys in this story. Possibly save your bile for the next time a MS anti-trust issue comes up, but in this article kindly keep your trap shut.

Good actions should be lauded, not condemned by ignorant slashdotters.

Re:

[Hylandr]

I have said it before, and I will say it again. Slashdot needs an astroturf rating.

- Dan.

Re:

[ozmanjusri]

Good actions should be lauded, not condemned by ignorant slashdotters.

I like your thinking:

1. Create huge problem
2. Fix tiny part of huge problem
3. Receive accolades from intelligent Slashdotters
4. ???
5. Profit. (actually, this was concurrent with Step One)

Re:

[LordLimecat]

Fix tiny part of huge problem

So in your opinion, none of the security fixes in Vista / Seven count for anything?

As long as flash and java continue to have terrible security flaws, Microsoft is liable for the consequences?

Re:

[Anonymous Coward]

So in other words, we have large corporations vs. organized crime. I fail to see how Kapersky and Microsoft lose.

Um.. probably because large corporations always win.

Going to get down modded for WOOSH. Just watch.

Re:

[Anonymous Coward]

The companies don't lose, but the employees can.

Re:

[boxxertrumps]

They probably would continue. Otherwise, the terrorists win.

Re:

[Fluffeh]

Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.

Re:

[PopeRatzo]

Because the owners of these things are rather shady criminal types at best and you taking away their shiny thing that makes them tons of money is a great way of attracting attention of their underlings who come visit you and do shady criminal things to your knees at best.

There's so much money to be made that I doubt they've got time to be out breaking knees of corporate types. That just brings unwanted attention and heat.

They'll move on to something else, something probably more lucrative. They know that

Re:

[RMH101]

Contrast to Stuxnet. Langner Communications, who are a small outfit of a few people, first started analysing it.
"Langner also realized after analyzing the Stuxnet code that it was designed to disable a particular nuclear facility in Iran. That's serious business, he figured. Some Iranian nuclear scientists, he remembered, had been mysteriously killed. Langner published his findings anyway."

If someone (let's just say for example the US Government) were to devote years of work to creating a worm so adv

Re:

[PopeRatzo]

Some Iranian nuclear scientists, he remembered, had been mysteriously killed.

Wait, Iranian killing someone is hardly an argument. He might have seen someone's wife without her veil or missed afternoon prayers or driven 38 in a 40 mph zone. Maybe he dropped a centrifuge on his foot and hollered "Allah damn it!" Come on, they just gave a woman 40 lashes for updating her Facebook page.

If someone (let's just say for example the US Government) were to devote years of work to creating a worm so advanced that r

Re:

[ozmanjusri]

Because the owners of these things are rather shady criminal types at best

Microsoft is a publicly listed company, Ballmer's not the owner, he's just the CEO.

all totally legal!

[decora]

no vigilantism here. doo de doo. nope. not a bit.

Re:

[Anonymous Coward]

The term vigilante comes from what again?

Oh yeah, committees of vigilance who were concerned citizens dealing with the problem of a lack of effective law enforcement.

But really, do you think that Microsoft and Kaspersky aren't working with the FBI, Secret Service, and everybody else concerned?

vigilantes: criminals who

[decora]

operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

i.e. barbarianism.

Re:

[rocket rancher]

operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

i.e. barbarianism.

operate without a judge, a jury, or a set of laws. no due process, no checks and balances. just a bunch of megacorporations, unaccountable to anyone, going out there and 'hunting down' people they dont like.

i.e. barbarianism.

I don't think it is that dire. Megacorporations actually are accountable, in ways that politicians can never be. You can't get accountability from somebody who has to woo the public to stay in office. Megacorps are accountable to their board of directors and to their stock holders, a far more important and influential constituency than fickle voters. I trust the CEOs of megacorporations to keep my best interest at heart far more than I trust politicians from any party, because CEOs can't hide from the

Re:

[rocket rancher]

rats...I really didn't need to include the parent twice. :(

Microsoft Digital Crimes Unit

[uufnord]

... what, do they arrest themselves?

Re:Microsoft Digital Crimes Unit

[Megaweapon]

I wonder if they ever caught the guy responsible for Windows ME.

Re:

[Ihmhi]

No, sadly he died. He was coding with a BAC of 0.21 and ran his desk into a tree.

Re:

[jamiesan]

I hear NBC has a new show about these guys. Law and Order DCU.

Created by Dick Wolf

[MobileTatsu-NJG]

"The company worked closely with Microsoft's Digital Crimes Unit (DCU)...."

These are their stories.

Re:

[maxume]

No, it's like the CTU, where they commit righteous atrocities in the name of justice.

Re:

[gijoel]

Doink Doink [youtube.com]

you sunk my botnet!

[cheeks5965]

fsck, man, do you know how long it took me to set up that botnet? get it just how I wanted it? now i gotta start all over.

Re:

[cheeks5965]

go back to russia, you mafioso!

Re:

[John Hasler]

> now i gotta start all over.

No you don't. In the next phase of the operation (it won't be publicized) they will work with a different, less well-known Russian "security" organization. In that phase it won't be the botnet that gets "taken down".

Encryption cracking?

[Anonymous Coward]

Isn't that in violation of the DMCA?

Re:

[arthurpaliden]

So sue me.

They sound like the good guys for once.

[ludomancer]

I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.

Re:

[Anonymous Coward]

Don't read much, do you...

Re:

[Anonymous Coward]

Was it 867-5309?

Re:

[stewbee]

I got it! I got,got it. I got the number off the wall...

Microsoft cleans up the mess it created.

[QuietLagoon]

It is nice to see Microsoft clean up the malware mess that is endemic in the Windows world. Microsoft Windows has always looked to me as if it were designed with a features are more important than security attitude. Now that the ramifications of that design strategy are coming home to roost, Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom.

.
Thank-you Microsoft. It is about time.

Re:

[Anonymous Coward]

Yeah because nobody else has a security problem with their software or setup.

http://kernel.org/ (How long has it been now?)

Wake me up when everyone grows up and realizes how hard our jobs truly are.

Re:

[cheater512]

How does kernel.org being down affect me or my servers? It doesn't really.

How does Windows affect me and my servers? Yup. A hell of a lot more.

Messes from 8+ years ago, maybe.

[SexyKellyOsbourne]

I would agree with this if this was posted sometime circa 2005 or before, but that really isn't the case now.

This malware and others like it can only take over if you open an e-mail, go to a bad website, download a bad executable, and run it. Let's break that down.

E-Mail: Any credible ISP and any web-based e-mail service (Yahoo/Gmail/Hotmail) will filter botnet spam. Even if you find said botnet e-mail in your spam folder and try to go to it, any modern web or desktop e-mail client will still warn you like

Re:

[Anonymous Coward]

I can't even believe this type of garbage is still posted here. Here, let me enlighten you a bit. Windows is target of choice *because it is popular* and it has a *stable* API. The second tends to be a requirement for the former.

If another OS had cracked the 20% market share, you better believe it you would see it targeted too. OS X only recently is getting some attention here, but only by very minor group of criminals, after all, 7% does not constitute a large userbase.

Finally, ALL the exploits on desktop

Re:

[Anonymous Coward]

It's not simply API stability that counts here. ABI is far far more useful. Microsoft's is so homogeneous that you can even count on being able to hot-patch library binaries.

Re:

[Artifakt]

It's not simply a matter of popularity, but go on posting anonymously and making it personal if you really think you need to enlighten me.
Here's why:
1. UNIX based systems are used on a lot of business and banking facilities, which are much more valuable targets for some purposes than the typical home machine. If you want a botnet, yeah, you're going to prioritize having large numbers above many other considerations, but that would mean other types of cracking would not necessarily follow the same pa

Re:

[Gadget_Guy]

If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.

What is the difference between a large server and a home user? It is the person sitting behind the keyboard. On one hand you have a highly qualified person who knows that they have a valuable system and who spends a lot if time locking down and testing the system.

On the other hand you have an average Joe who thinks their system would never be targeted by hackers, and who downloads and runs any random screensaver or funny program that gets sent to them without a second thought.

The biggest obstacle to securit

Re:

[ozmanjusri]

What is the difference between a large server and a home user? It is the person sitting behind the keyboard.

Ah, Microsoft apologists. As hilarious as they are delusional...

Re:

[Gadget_Guy]

Ah, Microsoft apologists. As hilarious as they are delusional...

Wow, you are really not aiming for an insightful mod there! You can't actually come up with any valid discussion points, so you just go for insults. You might think that you are being anti-Microsoft, but in fact you are being anti-IT professional.

Do you seriously suggest that a system that is carefully put together with security in mind by a trained professional will be equally secure as one run by a person with no training and no interest doing anything but the bare minimum default installation? If so, the

Re:

[Richard_at_work]

I will take it as selective memory that you make no mention of the hugely popular Sendmail and BIND daemons, and their historically similarly hugely popular security issues...? UNIX had its problems in its day as well.

Re:

[m50d]

Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.

Nope. Some of them start off as exploits vs. the OS TCP stack, or OS-provided libraries or programs.

Re:

[mikerubin]

"Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom"

Microsoft is Iron Man?

soo what about the dictator of Tunisia

[decora]

when he was running around stealing people's personal information?

oh wait. that was a business opportunity for Microsoft.

The last paragraph is priceless

[edremy]

"Interestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory."

How nice that this will only remain theoretical. Why, it would be awful if they experimented with this method of killing botnets. But I'm sure they're completely honest when they say they'd never do

Re:

[Amouth]

remember code red? remember code Green?

but they are correct - it would be illegal and would also be wrong. best to take down the C&C and let the lifeless and there for useless net slowly get formatted into non existence.

although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

maybe i shouldn't give them any ideas.

Self Destruct = Forced Upgrade

[SexyKellyOsbourne]

And remember, Code Red/Green are 10 years old. :)

Wikipedia: The Code Red worm was a computer worm observed on the Internet on July 13, 2001.
Securelist: Net-Worm.Win32.CodeGreen.a, Detected: Sep 14 2001 09:23 GMT
Microsoft: Patch Q300972, [fix] Originally posted: June 18, 2001

Re:

[Amouth]

yes - Code green was a work that used the exact same exploit as code red except it patch the hole and then spread it's self in the same manner as code red. but if the box was rebooted then code green would be gone and the box would be patched.

Re:

[bloodhawk]

although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

maybe i shouldn't give them any ideas.

If that did that I think it would be a blessing, the people infected with these bots have become that way due to their own irresponsible or uneducated behaviour and are a danger to themselves and others, it is far better they are forced to do something about their machine than continue to live in ignorance, perhaps it might teach them that downloading untrustworthy shit is a stupid idea (I doubt it, but one can hope)

Re:

[UnresolvedExternal]

Deary me... so every plumber and psychologist should read the kernel mailing list?

People (generally) care even less about more important stuff (read: general imploision of global economic finance) than there computer being "kinda wierd when I go on facebook and stuff"

So anyway, you get around to fixing that leaky tap in the bathroom lately?

There is a better way to do this ...

[bd580slashdot]

Some software already does this. But better ... two types of C&C's one that causes kill if it can be contacted (left silent until needed) and one that causes kill if it can't.

But MSFT destroying industrial systems?

[SexyKellyOsbourne]

As for legality, extreme legacy software and hardware is still often used in industrial plants. The claims against MSFT for purposefully wiping one of those systems and shutting down the lines for weeks would be huge.

Whoever wrote that is probably smarter than thinking doing that will just wipe some old Pentium 2's still out in the wild that'll get replaced with a Win7 laptop the next time a social security check is cashed.

Re:

[garyebickford]

...what exactly?

Other than writing a vulnerable OS, I mean.

In all fairness, there ain't no other kind. Anyone who thinks otherwise is whistling past the graveyard. True, some are better than others, but that's comparing nearly-completely-immune-compromised with not-quite-completely-immune-compromised. In both cases it doesn't take much exposure to make you very sick - but some are not exposed as often. Running an obscure OS that nobody else runs, which is merely a form of security by obscurity, is still probably helping more than the particulars of the OS itsel

Re:

[Alex Belits]

I mean, what exactly did Microsoft do that is in any way related to bringing down this botnet? From the description it looks like Kaspersky Labs did everything, and Microsoft just beaten its chest really hard.

Re:

[Travelsonic]

#ifndef nothing_h #define nothing_h
PROTIP: Not doing what you want, or not doing what you want YET =/= doing nothing.

Re:

[postbigbang]

Uh, they were not involved as they weren't a target. Note the keyword in the post regarding the word: registry, which Apple currently doesn't have. It has things that are similar, but their security architecture is vastly different than that of Windows.

That's how many now?

[jthill]

I haven't been paying enough attention to count them any more. How many botnets have Microsoft been in on the kill for now?

No information about cracking the encryption

[Mattpw]

I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.

Re:

[Anonymous Coward]

It's simple really. Measure the traffic of an infected machine through wireshark. Once you've isolated an address and protocol that appears to be the one the bot is communicating with, then set up a dns entry, or host file entry to resolve that suspicious address to the local machine you redirected to. Depending on the protocol, you set up http, FTP or irc services on that sinkhole machine. Let the infected machine talk to the sinkhole machine at that point, while running ollydebug, and set break points. T

Re:

[Mattpw]

Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?