Khelihos P2P botnet rises from dead a third time

Interpol nabs 6 Anonymous members, researchers kill botnet. Botnet refuses to stay killed.

It's been a big morning for law enforcement and victims of cybercrime.

Six more alleged members of hacktivist collective Anonymous were arrested in the Dominican Republic Sunday as part of an Interpol project called Operation Unmask, according to an Associated Press story late yesterday.

The four adults in the group have been ordered held in jail for three months while being investigated, which is legal under Dominican laws providing for preventative detention. The fate of the other two is up to a court responsible for minors.

    The four adults, whose ages range between 17 and 40, and their alleged usernames, include:
  • Zerohack (Milton Corniell David Jimenez),
  • Nmap (Juan Rafael Leonardo Acosta),
  • Mot (Cristian de la Rosa Jose de los Santos)
  • Frank-Ostia (Robert Reynoso Delgado).

During the first phase of Operation Unmask, which began in mid-February and covers areas of Argentina, Chile, Colombia and Spain, netted 25 suspects, 250 items of computer equipment from 40 residences in 15 cities, according to the NYT.

Arrests over the weekend were part of a later phase focused on running down alleged Anonymi responsible for attacking government sites in several Latin American countries and Spain, according to the announcement from Interpol.

The arrests in February, which Interpol credited to good police work, international cooperation and intelligence-sharing, came primarily through "the use of spies and informants within the movement," according to complaints at the time from Spanish-speaking members of the Latin-American Anonymous forum Iberoamerica.

Khelihos Botnet killed again. Rises from dead, again.

An alliance of security experts from the Honeynet Project, Kaspersky, SecureWorks and startup CrowdStrike took down a network of more than 110,000 Windows PCs infected with the Khelihos worm, according to Krebs on Security.

Kelihos is designed to steal Bitcoin currency and to use zombie PCs to mass-mail spam advertising Internet pharmacies, so shutting it down should have an immediate effect on the volume of spam and phishing email circulating.

Originally named Storm, then Waledac, then Storm2, the Khelihos.B virus has been present and growing steadily since at least 2007, according to Krebs.

Unlike most botnets, which rely on a single set of command-and-control(CnC) servers for their marching orders, Khelihos builds a peer-to-peer (P2P) network among members of the botnet, which allows almost any subset of zombies to become CnC controllers if one set is shut down.

That makes the network as a whole much more difficult to identify, measure and shut down because any subset of its members can take over as relays for orders if others are eliminated.

It's a completely different network design than traditional viruses, one created specifically to keep the botnet safe from attempts from either law enforcement or rival botnets to shut them down or take them over.

"P2P botnets let the controller inject commands into the network and have the bots disseminate the commands amongst each other," RandomStorm researcher Robin Wood told InfoSecurity about the growing Thor P2P botnet. "This removes the head and makes the network much harder to take down."

Researchers from Kaspersky Labs called the Alureon P2P botnet "practically indestructible" in a July 1 Ars Technica story about the botnet, which had 4.5 million members.

The primary point of failure for P2P botnets is the strength of its encryption, according to Krebs.

Researchers shut down the Kelihos botnet by cracking the encryption of its CnC messages and sending out their own messages, stealing control away from the botnet's creators and ordering the zombies to stand down, Krebs wrote.

This version was at least the second major version of the Khelihos botnet. Microsoft was able to shut down an earlier variant in September, 2011; it took only weeks for its owners to begin rebuilding the network that was the subject of this attack. In January Microsoft accused a Russian man named Andrey Sabelnikov of directing the botnet. It also denied in February that the Khelihos network had revived despite widespread evidence a subsequent version of the virus was rebuilding its army.

The second Khelihos botnet is just as hard to keep down.

Within hours of the takedown of the Khelihos.B network the virus had begun rising from the dead yet again, Krebs reported.

The Khelihos.B virus has been recompiled as Khelihos.C and is spreading via Facebook.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies