by Gunter Ollmann of Damballa
As botnets go, the Kelihos botnet is a small and rather insignificant criminal enterprise. Its claim to fame doesn’t lie in the number of victims it mustered in to its zombie hoard, nor would anyone have ever call it sophisticated or advanced, rather it was a botnet that rose in notoriety because of the efforts to take it down.
In particular, it was the first time Microsoft named a defendant in a botnet civil case and, more recently, named further defendants in an amended complaint.
In its heyday, the Kelihos botnet was estimated to encompass around 41,000 bot victims and be capable of distributing 3.8 billion spam emails per day. Today, companies such as ours estimate the number of untethered Kelihos botnet victims to be less than a quarter of its former size as the still-infected computers continue to mindlessly try and locate their former command and control servers.
The botnet made extensive use of 3,723 sub-domains associated with the “cz.cc” top-level domain name for its command and control server resolution. “cz.cc” itself was a popular free Dynamic DNS service in which anyone could setup and operate their own sub domain; which, not unexpectedly, was abused extensively by cybercriminals for rolling out threats such as MacDefender (a Mac targeted Trojan). In fact, Google went as far as blacklisting the entire top-level domain early in 2011.
Back in September 2011, as part of their codenamed action “Operation b79”, Microsoft accused Dominique Alexander Piatti, dotFREE Group, and 22 “John Does” of operating the domain names used to control the Kelihos botnet. By late October, after evidence voluntarily supplied by Piatti, Microsoft determined that he and his company were not involved in controlling the sub domains used to host Kelihos. Then, on January 23 of this year, Microsoft named Andrey N. Sabelnikov from St. Petersburg, Russia as both an author of the Kelihos malware and an operator of the botnet.
With Sabelnikov’s public naming as an operator of the Kelihos botnet, attention has been drawn to his employment as an anti-malware developer. In particular, it has been postulated that the code similarities between Kelihos and bot agent associated with the much larger Waledac botnet may have been due to Sabelnikov’s access to Waledac source code while at his former employer.
The coding similarity between Kelihos and Waledac has been noted for quite some time. It is, however, not uncommon for the malware agents of many botnets to look very similar; even conversing with their command and control servers in the same encoded language. Like Darwinism in overdrive, the best ideas and features for committing cyber fraud are rapidly adopted and absorbed by competing cyber criminal gangs — regardless of where they come from. This is a world in which piracy and copyright infringement are about as bothersome as gum stuck to the bottom of a shoe.
Is Sabelnikov the author, creator or operator of the Kelihos botnet? It appears that there is evidence to conclude so. Microsoft would not have amended their legal complaint otherwise. That said, some now believe that the real driving force behind the botnet is a different individual, someone more closely associated with the Waledac botnet (which Microsoft similarly attempted to takedown through legal means prior to Kelihos).
To many people the complexities of the case concerning the Kelihos botnet are confusing. The Internet security industry might as well be talking in a foreign tongue as they use cryptic technical terms and join near-invisible dotted lines in their attempt to highlight a path to the real botnet mastermind.
What is lost in these disclosures is an appreciation of number of people and breadth of talent that is needed to build and operate a profitable criminal botnet business. Piatti and the dotFREE Group were embroiled in the complaint because they inadvertently provisioned the DNS with which the botnet was dependent upon. Other external observers and analysts of the Kelihos botnet believe it to be a relative of the much bigger and more damaging Waledac botnet, going as far as naming a Peter Severa as the mastermind between both botnets.
Botnets are a business. Like any successful business they have their own equivalents of financiers, architects, construction workers and even routes to market.
Past attempts to takedown botnets have focused on shutting down the servers that command the infected zombie computers. Given the agile nature of modern botnet design, the vast majority of attempts have failed. Microsoft’s pursuit of the human operators behind botnets such as Kelihos and Waledac are widely seen as the most viable technique for permanently shutting them down. But, even then, there are problems that still need to be addressed.
Months, or even years, after the servers that controlled a botnet have been taken down, there still exists a hoard of infected computers eagerly awaiting a new batch of commands despite “widespread” detection and remediation tools. Will those same zombie machines still be waiting for new commands once their human operator surfaces from a term in prison? Probably.
Gunter Ollmann is VP of Research for cyber security firm Damballa. Gunter has over 20 years of experience within the information technology industry and is a known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS) with the most recent being the chief security strategist. He also held the role of director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. Gunter has been a contributor to multiple leading international IT and security focused magazines and journals, and has authored, developed and delivered a number of highly technical courses on Web application security.