FAQ: Disabling the new Hlux/Kelihos Botnet

Q: What is the Hlux/Kelihos botnet?
A: Kelihos is Microsoft’s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers.

Q: What is a peer-to-peer botnet?
A: Unlike a classic botnet, a peer-to-peer botnet doesn’t use a centralized command and control-server (C&C). Every member of the network can act as a server and/or client. The advantages from the malicious user’s point of view is the omission of the central C&C as a single-point-of-failure. From our point of view, this makes it a lot harder to take down this kind of botnet.

Architecture of traditional botnet vs P2P:

Traditional botnet with centralized C&C

Architecture of a P2P botnet

Q: When was Hlux/Kelihos first seen in the wild?
A: Back in December 2010, the first version was seen in the wild. Our first blog post about Hlux was in January 2011. The first known blog entry was released by ShadowServer in December 2010. The new version appeared just after our first sinkhole operating in September 2011.

Q: What are the differences between the old and the new Hlux/Kelihos malware?
A: The older version was used to distribute spam and had the ability to conduct distributed denial-of-service (DDoS) attacks. With this new version, we have discovered that:

• The bot is capable of infecting flash drives, creating a file on them called “Copy a Shortcut to google.Ink” in the same way Stuxnet did.
• The bot can search for configuration files for numerous FTP clients and transfer them to its command servers.
• The bot has a built-in Bitcoin wallet theft feature.
• The bot also includes a Bitcoin miner feature.
• The bot can operate in proxy server mode.
• The bot searches hard drives for files containing email addresses.
• The bot has a sniffer for intercepting email, FTP and HTTP session passwords.

Also see: The where and why of HLUX

The creator of the new Hlux-version also changed the communication protocol:

• Changed the order of encryption and compression methods
• Added new encryption-keys (p2p-network messages) and RSA keys (for signing parts of the message-payload)
• Field names in the payload are now 1-2 character name, no hashing anymore.

Also see: Kelihos Hlux botnet returns with new techniques

Q: Was the “new Hlux/Kelihos”-botnet rebuilt upon the “old” botnet, which was taken down in September last year?
A: Yes, the malware was built using the same coding as the original Hlux/Kelihos botnet. The new malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.

It’s important to note that the Hlux botnet we previously disabled is still under control and the infected machines are not receiving commands.

How the creators of the malware managed to build the new botnet in that short time cannot be answered with certainty. Bot herders typically use malicious pay-per-install-services to rebuild botnets.

Q: What does sinkholing mean?
A: In this case, it means actions that lead to a high popularity of a special peer inside the peer-to-peer network. This special peer is under our control and provides connecting bots with special crafted job-lists in order to make them uncontrollable by the original malicious bot-herder.

Q: How many bots exist in the old and new Hlux/Kelihos-botnets?
A: By design, the size of a peer-to-peer botnet can only be estimated. For the old Hlux botnet, we took down in September 2010, we estimated about 40000 different IP adresses. For the new botnet we estimate about 110,000 IP addresses.

Q: In which countries you see the biggest number of Hlux/Kelihos infections?
A: For the old version of Hlux we saw the most connections hitting our sinkhole from Thailand, Vietnam, India and Korea.

For the new version we see this distribution:

Countries with new Hlux/Kelihos infections

Q: Who was involved in the recent take-down (March 2012)?
A: Kaspersky Lab partnered with research teams at CrowdStrike, the HoneyNet Project and Dell SecureWorks on this operation.

Q: What can users do if their system is infected with malware from the botnet?
A: Although the first two Kelihos/Hlux botnets have being disabled, many computers are still infected with malware. Please visit http://support.kaspersky.com/viruses/utility for free tools that Kaspersky Lab offers to clean your computer.

For additional resources and to learn how to keep your computer secure please refer to http://support.kaspersky.com/viruses.

Until the botnet gangs are permanently brought down, new botnets with updated malware will continue to emerge and infect computers.

Q: The bots of both botnets are now sinkholed to machines of your control. What now?
A: This is actually the main question we asked in the first take-down back in September 2011. Obviously we cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that over time, the number of machines hitting our sinkhole will slowly decrease as computers get cleaned and reinstalled.

Apart from this, there is one other theoretical option to ultimately get rid of Hlux: We know how the bot’s update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries.

The only permanent solution is advocating to politicians for more international legislation and laws to be passed for more involvement between cyber security professionals and federal law-enforcement agencies. Sinkholing is a temporary solution but finding the groups behind the botnets and allowing law enforcement to apprehend them is the only permanent solution to the problem. New regulations will give more jurisdiction to execute the following countermeasures:

• Carrying out mass remediation via a botnet
• Using the expertise and research of private companies, providing them with warrants for immunity against cybercrime laws in particular investigation
• Using the resources of any compromised system during an investigation
• Obtaining a warrant for remote system exploitation when no other alternative is available

After the taking down the old Hlux we asked your readers on securelist.com how Kaspersky should proceed with the botnet: The answer was quite clear: Only 4% voted for “Leave the botnet alone.”. 9% agreed with “Keep the sinkholing up and provide IP address logs to the appropriate contacts so they can take actions.” and 85% voted for “Push a cleanup tool that removes the infections.”. In this poll 8539 votes were counted.