Kelihos/Hlux botnet returns with new techniques

It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages — it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.

Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:

Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:

Old Hlux New Hlux
1 Blowfish with key1 Blowfish with new key1
2 3DES with key2 Decompression with Zlib
3 Blowfish with key3 3DES with new key2
4 Decompression with Zlib Blowfish with new key3

To encrypt a message, all the operations need to be in reverse order. It is well known that text strings are more effectively compressed than raw binary data. The initial tree includes many strings such as e-mails, spam templates, etc. Therefore using zlib compression after encrypting a tree in the new Hlux/Kelhihos version makes no sense: the packet size increases without any advantages. It seems that someone obtained the botnet source code and just wanted to make future bots look different by shuffling the order of encryption stages.

Secondly, the encryption keys were changed, which is quite predictable. Also the RSA keys which are used for signing the parts of a tree with the controllers’ IPs and update URLs and the corresponding public RSA keys within the bots were also changed.

Old Hlux New Hlux
Controllers’ IP RSA key1 New RSA key1
Update/Exec urls1 RSA key1 New RSA key1
Update/Exec urls2 RSA key2 New RSA key2

As you can see, two different RSA keys are used within a tree which makes us think that probably two different groups are in possession of each key and are currently controlling the botnet.

As for the tree structure, all the fields and their meanings remained the same.The most significant change is that the hashing algorithm for the fields’ names is no longer used. Instead, each field now corresponds to 1-2 character name.

This was a tree structure of the old Hlux after decrypting a packet:

This is a tree structure of the new Hlux:

One more innovation in the new Hlux version is a more accurate approach of forming the packets: now every packet (both incoming and outgoing) includes the calculated data checksum in its header.

Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet.

The controllers list in the new version remained almost the same and slightly changed over time.

This botnet continues to get orders from spammers and send spam in different languages so far:

The main conclusions are the following:

  1. It is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions. The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list.
  2. It is still possible to neutralize the botnet with sinkhoking but using slightly different techniques as was used before.
  3. It is still possible to push an update tool on infected machines to neutralize the botnet. In this case the botmasters need to infect machines again to build another botnet.
  4. We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end.

P.S. Thanks to Alexey Borzenkov and Tillman Werner for providing technical details.

Kelihos/Hlux botnet returns with new techniques

Your email address will not be published. Required fields are marked *


  1. Enkidu

    have u found any new solution to detect and/or stop p2p botnets ?


Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Tomiris called, they want their Turla malware back

We continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry allowed us to shed light on the group. In this blog post, we’re excited to share what we now know of Tomiris with the broader community, and discuss further evidence of a possible connection to Turla.

Subscribe to our weekly e-mails

The hottest research right in your inbox