P2P Botnet Kelihos.B with 100.000 Nodes Sinkholed


This past Wednesday, CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers. There is an infographic at the bottom of this post that contains the most important facts and numbers at one glance.

Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster. These systems can easily be replaced by others by announcing a different list of job servers to the bots. Figure 1 shows a scheme of this architecture.

Figure 1: Architecture of the Kelihos.B Botnet
But peer-to-peer botnets are fairly complex distributed systems – and complex systems are usually hard to secure. We identified some flaws in the architecture that allow us to inject specially crafted messages into the botnet. We used this technique to propagate our own peer entries in a way such that it ruled out all others and effectively redirected all bots to a CrowdStrike controlled sinkhole. In addition, the team took proactive measures to prevent the adversary from regaining control. The botnet is since trapped in our sinkhole system, as shown in figure 2.
Figure 2: Sinkholed Botnet

We are currently working with our partners to inform affected ISPs around the world about infections on their networks so they can take appropriate actions. So far we have identified over 110.000 different machines. This number is almost three times larger than the previous version of the Kelihos botnet. What is interesting is that we counted less unique IP addresses than bot IDs in the beginning of the operation. This is due to multiple infected machines with Internet access over a common gateway. As expected, the ID/IP address relation changes after some time as dial-up hosts change their addresses whereas the bot ID remains the same.
Figure 3 shows how the numbers develop over time. The blue graph displays the total number of IP addresses seen on the sinkhole. Green is the number of bot IDs. The number of job requests per hour is depicted in red; the graph shows a typical pattern which results from computers being turned off over night. 
Figure 3: IP count, ID count, job request per hour

The graph in figure 4 illustrates how effective the takeover was. It displays the number of bots (per hour) we have seen for the first time. The steep start is proof that our injected peer entries propagated rapidly within the botnet.
Figure 4: New bots on the sinkhole per hour

The geographic distribution of the infected machines is somewhat unusual. With almost one quarter, Poland has by far the most infections.:


Figure 5: Infection distribution
To our knowledge, Kelihos.B was mostly spread via so-called pay-per-install services (PPI). Since the bots report the version of the operating system they are running on to the sinkhole, we can track these as well. Surprisingly enough, 84% of all systems run Windows XP. Here are the numbers:
     91950  Windows XP
      9428  Windows 7
      5335  Windows 7 with Service Pack 1
      1307  Windows Vista with Service Pack 2
      1100  Windows Vista with Service Pack 1
       671  Windows Vista
       253  Windows Server 2003

It seems like there were different versions of the bot coexisting in the botnet. One possible explanation is that the operators partitioned their resources and rented them out to different affiliates for spam campaigns and the like, but had the bots share the network infrastructure as it becomes less likely for a bot to get disconnected from the peer-to-peer network the bigger its size is. We have found as much as 18 different version numbers in our sinkhole logs.

We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed. The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after we started our operation. One down, many more to go…

Figure 6: Kelihos.B Infographic