The King is dead. Long live the King! Or, given this week’s events, should the phrase now be “Kelihos is dead. Long live Kelihos”?

It is with a little amusement and a lot of cynicism that I’ve been watching the kerfuffle relating to the latest attempt to take down the Kelihos botnet. You may remember that a similar event (“Kelihos is dead”) occurred late last year after Microsoft and Kaspersky took it on themselves to shut down the botnet known as Kelihos (or sometimes as Waledac 2.0 or Hlux). Now, like a poor sequel to a TV docu-drama, Kaspersky and a number of other security vendors have attempted to slap down control of Kelihos Season Two—meanwhile Season Three of Kelihos has just begun to air.

In the most recent attempt to interrupt the business operations of the criminal entity behind the Kelihos botnet, a bunch of threat researchers have managed to usurp command and control (C&C) of the Kelihos.B crimeware package by poisoning the peer-to-peer (P2P) relationships between all of the infected devices and install a surrogate control server. It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually takedown the botnet.

The good guys have set up what amounts to a sinkhole for a particular configuration of the Kelihos.B crimeware—with the Kaspersky blog initially identifying some 116,000 infected devices around the world. Like I’ve said many times before, botnets reliant upon P2P for transport of C&C information and stolen data propagation are vulnerable to this kind of takeover and victim enumeration. It’s one of the reasons we don’t see P2P being used much by sophisticated criminal groups—and almost never as a vehicle for attacks that target businesses.

Having said that, takeovers of portions of P2P botnets such as this most recent Kelihos.B example worry me quite a bit—it’s a reason Damballa, where I work, doesn’t offer to do this kind of work despite having excellent real-time visibility of the threat and the victims. There are two elements of P2P botnet takeovers that cause me the most concern:

1. To usurp control of the P2P botnet you have to initially join it in some shape or fashion, and then you have to send commands (via the P2P network) to all the other infected devices and redirect them to something you control. A victim of the Kelihos.B crimeware would be unable to differentiate the “good guys” from the “bad guys”—after all, their computer is still under someone else’s unauthorized control—and they could justly bring a legal case against those parties that seized control of their computer.
2. The use of sinkholes for victim data harvesting. It raises all kinds of questions about how you’re using someone’s stolen data—let alone the effect of sharing that victim information with other commercial entities. Obviously I have a strong opinion as to the ethics of selling these kinds of stolen information or using it for commercial purposes.

Despite the sinkholing attempt and the cries from the highest watchtowers that the Kelihos botnet is dead, it obviously isn’t. Within the security community there’s consequently a lot of discussion already over the semantics of what constitutes a botnet and what it means to have “killed” a botnet. For example, the criminal operators behind the Kelihos.B botnet have been rolling out a new and improved variant of their crimeware—Kalihos.C—and it’s infecting a whole bunch of new victims (with some overlap with the Kelihos.B botnet victims). The fact that a new malware variant is being distributed to an overlapping group of victims seems to cause some degree of confusion to a few people.

Based upon my own observations, I’d be more inclined to take care when differentiating between the gang that operates botnets, botnets that share the same C&C infrastructure, and campaigns of crimeware updates and their installation. The claim of taking down the Kelihos botnet (twice now) is clearly false. It would be more precise to say that certain Kelihos campaigns have been disrupted. The criminals (and their core infrastructure) haven’t been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.

Why go to all this effort? Why invest in Wac-a-mole style takedowns? While the efforts to takedown some Kelihos.A and Kelihos.B P2P botnets haven’t succeeded, they have enabled researcher to better understand the nature of the threat and hone their skills in the art of takedown. Knowing what doesn’t work (and why) is almost as valuable as knowing what does work.

I’m sure some group is going to try their hand at taking down Kelihos.C (and probably Kelihos.D) based botnets in the future. There’ll probably be the same claims of “Kelihos is dead” too. Unfortunately, if the Kelihos botnet controllers want to escape this bothersome cycle of losing a few thousand botnet victims each time, they already have the means available to them. As I discussed earlier this month, we’ve observed a growing number of criminal operators adding DGA’s to their malware families as a backup strategy should their P2P C&C fail for whatever reason. If the Kelihos operators add that feature to their next variant the wac-a-mole efforts of Kelihos-P2P-swatters truly become inconsequential.

Like I’ve said before, if you’re going to take down a botnet you have to take out the criminals at the top. It’s the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption technique—a delaying tactic if you will, and maybe an evidence building process if you’re lucky. In the case of P2P-based botnets, there’s very little infrastructure you can get your hands on—and you’ll probably end up having to issue commands to botnet victim devices—which is fraught with legal and ethical problems.

Oh, one last thing. Even if you’re lucky enough to be able to take out the C&C infrastructure or mechanism of communication, if you don’t take out the infection vector—the mechanisms of distributing new crimeware variants—you’ve achieved very little. As evidenced by the most recent Kelihos botnet takedown attempt, the criminals retained their primary distribution system and are already accumulating thousands of new victims per day with their latest Kelihos-variant campaign.