Attack of the zombie botnet

A spam-spewing botnet that was declared supposedly dead a few months back turns out to be alive —and still spamming, a computer security firm said this week.

 

Kaspersky Labs said the Kelihos/Hlux botnet has returned, this time with possibly more new techniques to thwart those trying to shut it down.

 

"Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet," Kaspersky Lab expert Maria Garnaeva said in a blog post.

 

"The sinkholing method that was used (to initially take down the botnet) has its advantages — it is possible to disable a botnet rather quickly without taking control over the infrastructure. However,as this particular case showed, it is not very effective if the botnet’s masters are still at large," she added.

 

She said they recently came across new samples that seemed to be very similar to the initial version, but with changes in the communication protocol and encryption keys.

 

She also noted a more accurate approach of forming the packets in the new version: every packet, both incoming and outgoing, includes the calculated data checksum in its header.

 

In effect, she said this botnet continues to get orders from spammers and send spam in different languages so far.

 

Garnaeva said this case showed it is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions.

 

"The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list," she said.

 

She also said it is still possible to neutralize the botnet with sinkholing but using slightly different techniques as was used before.

 

But ultimately, she said the solution lies with getting to those behind the botnet.

 

"We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end," she said.

 

2011 'slaying'

 

A separate article on ArsTechnica said Microsoft claimed to have disrupted the rogue network by commandeering the infected computers and obtaining a court order seizing the Internet addresses used to help control them.

 

"The resurrection highlights the difficulty of permanently severing botnets from the Internet. Because Kelihos used peer-to-peer technology, it was disrupted—or 'sinkholed,' in takedown parlance—by seeding the network with machines that caused their peers to take orders from benign channels under the control of white hats. The takedown process never actually removed the underlying malware from infected machines, making it possible for the attackers to one day regain control of them," it said.

 

Microsoft probing resurrection

 

ArsTechnica quoted Microsoft senior attorney Richard Domingues Boscovich as saying Microsoft is working with Kaspersky to investigate the matter.

 

"Given that Kaspersky’s role in the Kelihos botnet takedown was the sinkholing of the botnet (as has been described by Kaspersky researchers previously), Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available," it quoted Boscovich as saying.

 

"Microsoft, as ever, remains committed to following our botnet cases wherever they lead us and to holding those responsible accountable for their actions," he added. — TJD, GMA News