Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Botnet Microsoft IT

The Inside Story of the Kelihos Takedown 83

Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."
This discussion has been archived. No new comments can be posted.

The Inside Story of the Kelihos Takedown

Comments Filter:
  • ... what, do they arrest themselves?
  • by MobileTatsu-NJG ( 946591 ) on Thursday September 29, 2011 @09:37PM (#37562074)

    "The company worked closely with Microsoft's Digital Crimes Unit (DCU)...."

    These are their stories.

  • fsck, man, do you know how long it took me to set up that botnet? get it just how I wanted it? now i gotta start all over.
    • go back to russia, you mafioso!
    • > now i gotta start all over.

      No you don't. In the next phase of the operation (it won't be publicized) they will work with a different, less well-known Russian "security" organization. In that phase it won't be the botnet that gets "taken down".

  • by Anonymous Coward

    Isn't that in violation of the DMCA?

  • by ludomancer ( 921940 ) on Thursday September 29, 2011 @09:53PM (#37562176)

    I don't think I have EVER read a story about internet security where they weren't attacking some kid on a college campus for sharing music, or blaming someones grandfather of childporn. This is actually a refreshing story for a change.

    • by Anonymous Coward

      Don't read much, do you...

  • It is nice to see Microsoft clean up the malware mess that is endemic in the Windows world. Microsoft Windows has always looked to me as if it were designed with a features are more important than security attitude. Now that the ramifications of that design strategy are coming home to roost, Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom.

    Thank-you Microsoft. It is about time.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Yeah because nobody else has a security problem with their software or setup. (How long has it been now?)

      Wake me up when everyone grows up and realizes how hard our jobs truly are.

      • How does being down affect me or my servers? It doesn't really.

        How does Windows affect me and my servers? Yup. A hell of a lot more.

    • I would agree with this if this was posted sometime circa 2005 or before, but that really isn't the case now.

      This malware and others like it can only take over if you open an e-mail, go to a bad website, download a bad executable, and run it. Let's break that down.

      E-Mail: Any credible ISP and any web-based e-mail service (Yahoo/Gmail/Hotmail) will filter botnet spam. Even if you find said botnet e-mail in your spam folder and try to go to it, any modern web or desktop e-mail client will still warn you like

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I can't even believe this type of garbage is still posted here. Here, let me enlighten you a bit. Windows is target of choice *because it is popular* and it has a *stable* API. The second tends to be a requirement for the former.

      If another OS had cracked the 20% market share, you better believe it you would see it targeted too. OS X only recently is getting some attention here, but only by very minor group of criminals, after all, 7% does not constitute a large userbase.

      Finally, ALL the exploits on desktop

      • by Anonymous Coward

        It's not simply API stability that counts here. ABI is far far more useful. Microsoft's is so homogeneous that you can even count on being able to hot-patch library binaries.

      • It's not simply a matter of popularity, but go on posting anonymously and making it personal if you really think you need to enlighten me.
        Here's why:
        1. UNIX based systems are used on a lot of business and banking facilities, which are much more valuable targets for some purposes than the typical home machine. If you want a botnet, yeah, you're going to prioritize having large numbers above many other considerations, but that would mean other types of cracking would not necessarily follow the same pa

        • If you can explain why, for example, the servers that hold data on 10,000+ clients get subjected to successful attacks in almost exactly the same proportions as home machines, heavily 'favoring' Microsoft, yet the various UNIX related operating systems are much, much more common there, then you can claim popularity makes all, or even much of, the difference.

          What is the difference between a large server and a home user? It is the person sitting behind the keyboard. On one hand you have a highly qualified person who knows that they have a valuable system and who spends a lot if time locking down and testing the system.

          On the other hand you have an average Joe who thinks their system would never be targeted by hackers, and who downloads and runs any random screensaver or funny program that gets sent to them without a second thought.

          The biggest obstacle to securit

          • What is the difference between a large server and a home user? It is the person sitting behind the keyboard.

            Ah, Microsoft apologists. As hilarious as they are delusional...

            • Ah, Microsoft apologists. As hilarious as they are delusional...

              Wow, you are really not aiming for an insightful mod there! You can't actually come up with any valid discussion points, so you just go for insults. You might think that you are being anti-Microsoft, but in fact you are being anti-IT professional.

              Do you seriously suggest that a system that is carefully put together with security in mind by a trained professional will be equally secure as one run by a person with no training and no interest doing anything but the bare minimum default installation? If so, the

        • I will take it as selective memory that you make no mention of the hugely popular Sendmail and BIND daemons, and their historically similarly hugely popular security issues...? UNIX had its problems in its day as well.

      • by m50d ( 797211 )

        Finally, ALL the exploits on desktop start off as exploits vs. one of the apps running, like Firefox or Office or Acrobat or whatever is popular.

        Nope. Some of them start off as exploits vs. the OS TCP stack, or OS-provided libraries or programs.

    • "Microsoft is participating in the fight against the very criminal element that Microsoft allowed to blossom"

      Microsoft is Iron Man?

  • when he was running around stealing people's personal information?

    oh wait. that was a business opportunity for Microsoft.

  • "Interestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory."

    How nice that this will only remain theoretical. Why, it would be awful if they experimented with this method of killing botnets. But I'm sure they're completely honest when they say they'd never do

    • by Amouth ( 879122 )

      remember code red? remember code Green?

      but they are correct - it would be illegal and would also be wrong. best to take down the C&C and let the lifeless and there for useless net slowly get formatted into non existence.

      although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

      maybe i shouldn't give them any ideas.

      • And remember, Code Red/Green are 10 years old. :)

        Wikipedia: The Code Red worm was a computer worm observed on the Internet on July 13, 2001.
        Securelist: Net-Worm.Win32.CodeGreen.a, Detected: Sep 14 2001 09:23 GMT
        Microsoft: Patch Q300972, [fix] Originally posted: June 18, 2001

        • by Amouth ( 879122 )

          yes - Code green was a work that used the exact same exploit as code red except it patch the hole and then spread it's self in the same manner as code red. but if the box was rebooted then code green would be gone and the box would be patched.

      • although i'm waiting for the creative bot net that puts a self destruct in - wiping the box if it can't contact the C&C for an extended time (say 2 weeks) so that the security people get stuck with the possibility of destroying peoples data.

        maybe i shouldn't give them any ideas.

        If that did that I think it would be a blessing, the people infected with these bots have become that way due to their own irresponsible or uneducated behaviour and are a danger to themselves and others, it is far better they are forced to do something about their machine than continue to live in ignorance, perhaps it might teach them that downloading untrustworthy shit is a stupid idea (I doubt it, but one can hope)

        • Deary me... so every plumber and psychologist should read the kernel mailing list?

          People (generally) care even less about more important stuff (read: general imploision of global economic finance) than there computer being "kinda wierd when I go on facebook and stuff"

          So anyway, you get around to fixing that leaky tap in the bathroom lately?

      • Some software already does this. But better ... two types of C&C's one that causes kill if it can be contacted (left silent until needed) and one that causes kill if it can't.
    • As for legality, extreme legacy software and hardware is still often used in industrial plants. The claims against MSFT for purposefully wiping one of those systems and shutting down the lines for weeks would be huge.

      Whoever wrote that is probably smarter than thinking doing that will just wipe some old Pentium 2's still out in the wild that'll get replaced with a Win7 laptop the next time a social security check is cashed.

  • I haven't been paying enough attention to count them any more. How many botnets have Microsoft been in on the kill for now?
  • I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.
    • by Anonymous Coward

      It's simple really. Measure the traffic of an infected machine through wireshark. Once you've isolated an address and protocol that appears to be the one the bot is communicating with, then set up a dns entry, or host file entry to resolve that suspicious address to the local machine you redirected to. Depending on the protocol, you set up http, FTP or irc services on that sinkhole machine. Let the infected machine talk to the sinkhole machine at that point, while running ollydebug, and set break points. T

      • by Mattpw ( 1777544 )
        Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?

Any sufficiently advanced technology is indistinguishable from a rigged demo.