Earlier this week, Microsoft reported the successful takedown of what it calls the Kelihos botnet, a network of more than 40,000 infected computers capable of sending 3.8 billion spam e-mails per day. But while criminals no longer control the botnet, the work needed to contain it is not over. Botnet traffic is now being redirected to a “sinkhole,” allowing the good guys to oversee traffic from infected machines and prevent further distribution of malware and scams.
Kaspersky Lab, which collaborated with Microsoft on the takedown, says 3,000 infected hosts are connecting to its sinkhole every minute. Kaspersky reverse-engineered the bot malware, cracked the botnet’s communication protocol, and then developed tools to attack its peer-to-peer infrastructure, explains Kaspersky Lab expert Tillmann Werner in a blog post. That allowed Kaspersky to create a situation in which the bots are “talking to our machine, and to our machine only. Experts call such an action sinkholing—bots communicate with a sinkhole instead of its real controllers.”
Trend Micro, which recently sinkholed a ZeuS botnet, explains in a technical paper that “[s]inkholing is a technique that researchers use to redirect the identification of the malicious command-and-control (C&C) server to their own analysis server. This way, the malicious traffic that comes from each client goes straight to the research box, ready to be analyzed.”
In the case of Kelihos, or “Hlux” as Kaspersky prefers to call it, Microsoft obtained a restraining order allowing it to sever connections between the machines controlling the botnet and the zombie computers being controlled. Decapitating a botnet isn’t as simple as flipping a switch, though. While Kelihos was not as sophisticated as the much larger Rustock botnet taken down in March, it still had methods to resist takedown attempts.
“The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode,” Kaspersky explains. “A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.”
To overcome these obstacles, “we started to propagate a special peer address,” Kaspersky continues. “Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. […] At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore.”
The Rustock botnet’s method to avoid takedown was more clever, says Microsoft Digital Crimes Unit Senior Attorney Richard Domingues Boscovich. In Rustock, bots that detected they were no longer being commanded used an algorithm to automatically generate new domains that could then be registered by the botnet controller. “One of our guys identified it just in time,” Boscovich tells Ars. By analyzing the algorithm, Microsoft was able to identify the names of the domains the botnet would have generated and negotiated with registrars to take control of them before the botnet traffic could be redirected.
With 1.3 million infected computers, Rustock was much bigger and harder to take down. But both Rustock and Kelihos, and also a third botnet named Waledac, are now being controlled by sinkholes. The whole process requires collaboration among companies like Microsoft and Kaspersky, government agencies, and Internet Service Providers who can contact owners of infected computers and help them clean up their machines. In the case of Rustock, Boscovich said two years should be enough time to clean the vast majority of zombie computers. Boscovich said Kelihos shouldn’t require that much time, but Kaspersky notes winding down the sinkhole will be difficult.
“The alternative infrastructure needs to be run as long as there are infected machines,” Kaspersky Senior Researcher Roel Schouwenberg told Ars. “Unfortunately, many people still don’t run security software and it can be very hard for ISPs to inform the affected customer.” Maintaining the sinkhole is crucial because otherwise “it would be possible for the cyber criminals to regain control of the botnet.”
While Kaspersky counted 49,000 IP addresses connected to the botnet, there are signs it is already shrinking. “We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled,” Kaspersky said in its blog post. “Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.”
Kelihos was tied to the cz.cc domain and a series of sub-domains, which previously delivered MacDefender scareware. In fact, CTO Aviv Raff of security company Seculert told Ars, “We tracked in the past few weeks over 250 different registered cz.cc domains being used by over 180 different botnets’ Command & Control servers.” Seculert determined that three of those servers together controlled more than 13,000 infected machines.
While Microsoft itself didn’t analyze the total number of botnets originating from cz.cc, Boscovich says the Seculert finding “doesn’t surprise me.” A civil suit filed by Microsoft names as a defendant Dominique Alexander Piatti, who allegedly was the registrant of the cz.cc domain and failed to stop it from being used for illicit activity. Microsoft is accusing Piatti of negligence, rather than actually controlling the botnet, but Boscovich notes that the cz.cc domain was temporarily blocked from Google search results in May because it was hosting malware.