Almost one year ago, CrowdStrike and some partners conducted a takeover operation against the Kelihos.B botnet, a peer-to-peer network of compromised machines mainly used to send spam. The attack was successful, and all infected machines were redirected to a sinkhole server. However, the botnet business is lucrative as such, and the Kelihos gang almost immediately created a new version of their infrastructure right after the success of the takeover: Kelihos.C.
With the anniversary of this new version coming up, we decided to conduct another botnet takeover operation during the RSA conference in San Francisco. On stage in a presentation entitled “From the Drone Butcher’s Cookbook: Live Demo of a P2P Botnet Takeover” we injected a special sinkhole peer into the Kelihos.C botnet and increased its prominence by replacing peer list entries at other nodes with entries pointing to our sinkhole machine. In this blog post, we share the insights we gained from the operation and provide some information to help clean up infected machines.
While CrowdStrike managed to successfully take over control of the majority of the botnet population, we also anticipated that this attack would not make those cyber criminals quit their shady business. It is apparent that they have, in fact, managed to restructure a small fraction of their peers before we were able to take full control over them. One of their countermeasures was to propagate an updated version of the bot that hardens the peer list exchange code to render our poisoning attack less effective. A part of the botnet survived, and it was big enough to serve as a cornerstone for them to recreate their infrastructure.
Kelihos uses a multi-tier botnet architecture. Infected machines on public IP addresses are router nodes. When a router node receives a job request, it passes it on to one of six upper-tier proxies. Interestingly, the proxies used by Kelihos.C are, for the most part, the same that were already used by its predecessor. Below is the current list of C2 proxy IP addresses. Traffic to any of these machines on port 80/tcp is a clear indicator of an infection, so you want to keep an eye out for these in your network flows.
We have received lots of questions about infection numbers. As shown in our previous blog post on Kelihos.B, counting numbers of infected machines is not trivial. Simply counting IP addresses that talk to the sinkhole does not usually result in reliable numbers. Counting bot IDs (assuming that the C2 protocol defines some, which is the case for Kelihos) is much more accurate, but it requires processing (decryption, uncompressing, parsing) of each incoming message, which consumes lots of resources.
We have thus decided to randomly sample some messages over a time period of one week to learn the ratio of unique IP addresses versus unique bot IDs and then extrapolate the total number of bots we have seen so far from that value. In our sample set of 34,333 unique IP address/ID pairs, we have seen 16,307 unique IDs. This means the ratio is 0.48%. In total, we have counted 193,384 unique IP addresses so far, which relates to an estimated 91,000 unique bot IDs, considering the ratio above.
There are infections in almost all countries in the world. Countries on the map below appear increasingly more red as more hits were recorded from it at the sinkhole.
The sample set of the 16,307 uniquely identified bots was also used to analyze the geographical distribution. Interestingly, the top five infected countries for this set are Belarus, Ukraine, Vietnam, Turkey, and India – a fairly uncommon mix. Together, they make almost half of the whole population, as shown in the chart below.
If a bot cannot establish contact with the peer-to-peer network, it attempts to resolve a hard-coded domain name. These domain names are fast-flux domains with a TTL value of 0 and point to an infected machine, which is then contacted for bootstrapping. Decoding the communication between a bot and the command-and-control backend reveals the set of domains that are currently associated with the botnet. Here is the list of backup domains used by Kelihos.C:
Since each worker node also runs a DNS server that resolves these domains, incoming DNS queries for one of these domains mean that the destination machine is likely infected. Likewise, outgoing queries are probably the result of a peer trying to bootstrap via the backup channel.
Here is a set of snort rules that fire on queries in any direction:
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: boomsco.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|boomsco|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000001; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: flowsre.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|flowsre|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000002; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: kamisca.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|kamisca|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000003; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: larstor.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|larstor|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000004; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: needhed.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|needhed|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000005; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: newrect.com”; content:”|01 00 00 01 00 00 00 00 00 00 07|newrect|03|com”; depth:22; offset:2; nocase; classtype:trojan-activity; sid:20000006; rev:1;)
- alert udp any any -> any 53 (msg:”Kelihos.C Fallback Domain: oparle.com”; content:”|01 00 00 01 00 00 00 00 00 00 06|oparle|03|com”; depth:21; offset:2; nocase; classtype:trojan-activity; sid:20000007; rev:1;)
We are continuously working with our partners in the security community to inform ISPs about infections in their network so they can take actions. It will be interesting to see how the Kelihos gang reacts to our efforts. We will inform you here about any interesting developments. Stay tuned.
Download a complete list of .ru domains that are currently used by Kelihos to propagate bot updates and other malware.