Kelihos.B/Hlux.B botnet takedown – The Honeynet Project

Published by Christian Seifert at March 31, 2012

Tags

On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker’s control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.

Control of the botnet with over 129,000 infected hosts was successfully obtained. These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet. The hosts resided primarily in Poland (24%) and were primarily running the old operating system Windows XP (84%). The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation. We can say that the Kelihos.B/Hlux.B botnet was successfully disabled.

For more information, we refer to:
http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/
http://www.secureworks.com/research/threats/waledac_kelihos_botnet/