Sinkholing the Hlux/Kelihos Botnet – What Happened?

12 Nov 2013

minute read

Authors

Stefan Ortloff

Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. We thought that now would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.

What we see now is what we expected. The botnet is getting smaller and smaller – victims have been disinfecting or reinstalling their PCs over time. At the moment we’re counting about 1000 unique bots on average per month:

Number of unique bots since March 2012

Due to the botnet’s peer-to-peer-design, there could still exist an independent subset of the initial botnet which never connected to our sinkhole. But we think that the bot-count for any such subset would have evolved in a similar way, because most likely the bot-herders would leave them alone as well and concentrate on establishing “Hlux 3”.

Most of the bots are still running under Windows XP. But we also saw some bots running under Windows Server 2008:

OS (last 14 days)

Most of the infected clients are located in Poland:

Countries (last 14 days)

The group behind Hlux is known to be adept at quickly renewing their illegal infrastructure. Since the group is also known to be behind the Waledac botnet, we think that this is unlikely to be the last we hear about this gang.

Last but not least, a quick review about the story of Hlux/Kelihos:

In September 2011 we performed the first takedown of Hlux. The criminals responsible for that botnet didn’t show a major interest in taking counter-measures – they abandoned the botnet to its fate (of being under our control now) and immediately began to build a new botnet. So after a short time, Hlux 2 appeared on the radar and we did it again – poisoning the p2p-network to sinkhole it. And again, the criminals quickly rebuilt their botnet and Hlux 3 was born – within 20 minutes! In March 2013 the bad guys were faced with a new shutdown operation – initiated and performed live at the RSA Conference 2013 by our friends over at Crowdstrike.

Authors

Stefan Ortloff

Sinkholing the Hlux/Kelihos Botnet – What Happened?

Latest Posts

Latest Webinars

Reports

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Sinkholing the Hlux/Kelihos Botnet – What Happened?

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

New wave of Mirai attacking home routers

The Missing Piece – Sophisticated OS X Backdoor Discovered

Beware of Backdoored Linux Mint ISOs

From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered

Shellshock and its early adopters

Top 10 web application vulnerabilities in 2021–2023

Network tunneling with… QEMU?

An educational robot security research

A lightweight method to detect potential iOS malware

Operation Triangulation: The last (hardware) mystery

Latest Posts

DinodasRAT Linux implant targeting entities worldwide

Android malware, Android malware and more Android malware

Threat landscape for industrial automation systems. H2 2023

A patched Windows attack surface is still exploitable

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

A cascade of compromise: unveiling Lazarus’ new campaign

How to catch a wild triangle

Subscribe to our weekly e-mails