Skip to main content
0 Results Found
              Back To Results
                Research & Intelligence

                Botnet Protection: Dell SecureWorks Assists in Waledac Kelihos Botnet Successor of DDoS Attack

                By: Brett Stone-Gross

                Kelihos Botnet Detection and Threat Analysis

                On Wednesday, March 21, 2012, Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project initiated efforts to disrupt the operations of the Waledac/Kelihos (aka Hlux) botnet. This botnet is similar in structure to the Storm Worm DDoS attack, however it generally sends spam email, harvests email addresses and credentials, and steals Bitcoin wallets.

                If you are concerned about botnet protection, The Dell SecureWorks Counter Threat Unit (CTU) has published a detailed analysis based on the botnet detection and description of the network takeover.  This article provides a simple overview of the Kelihos botnet threat. 

                Waledac/Kelihos Botnet Protection & Detection Statistics 

                Key Detection Findings from the botnet protection analysis:

                - Waledac/Kelihos botnet is distributed through pay-per-install (PPI) affiliate programs.
                - The Kelihos botnet variant currently has low antivirus detection rates. Only Microsoft specifically detects the botnet as Kelihos.B.
                - The Waledac/Kelihos botnet is a different variant than the one found during the takeover Kaspersky and Microsoft performed in September, 2011.
                - The Kelihos botnet currently consists of 118,000 systems (unique bot IDs).
                - Botnet detection illustrated that Poland, United States, and Turkey are the top three countries that have the largest concentration of infected systems.

                Botnet Detection: Kelihos.C, the Next Attack Wave

                Update as of Friday, March 30, 2012: The week after this sinkhole operation began, the botnet operators abandoned Kelihos.B. At the same time, the controllers purchased new malware installations via PPI affiliate programs, and set up a new botnet now known as Waledac/Kelihos.C (which is nearly identical to the previous botnet with only a few changes). These actions indicate that the criminals are well-funded and determined to maintain and protect the botnet. However, their modifications such as changing the encryption means there is no mechanism for the botnet controllers to regain control of the Kelihos.B botnet. In addition, the worm known as Fifesock that has been used to drop Kelihos.B does not have the ability to update or install new Kelihos botnet binaries. In other words, the computers infected with Kelihos.B are no longer able to communicate with Kelihos.C bots nor the command and control (C2) infrastructure, and furthermore, cannot be reinfected through an existing Fifesock worm infection.


                Related Content

                Close Modal
                Close Modal