Researchers use specially crafted code to direct infected computers to their servers instead of servers run by the criminals who have been using the botnet to distribute spam.
A new version of the Kelihos spamming botnet has been sidelined by using the peer-to-peer distribution mechanism to basically hijack it, researchers announced today.
The botnet, which was used mostly to distribute spam for Canadian pharmaceutical firms but also stole bitcoin wallets containing virtual currency, was about three times larger than an earlier variant, according to CrowdStrike, the security firm that worked with Kaspersky, Dell SecureWorks, and Honeynet Project to shut down the botnet.
The researchers reverse-engineered the malware code and wrote their own software that rerouted infected computers to communicate with servers controlled by researchers and law enforcement rather than servers operated by the malware creators where they would get instructions for sending spam.
“Last week they began poisoning Kelihos.B using the peer-to-peer mechanism and within minutes we were talking to 110,000 infected machines and sending them to our sinkhole,” which is composed of benign servers controlled by researchers, Adam Meyers, director of intelligence at CrowdStrike, told CNET. “This is a cool factor. That we were able to use one of the attributes of the botnet, the peer-to-peer networking, against it.”
The researchers injected their code into the botnet by sending it out to a number of infected computers that in turn sent it on to others in a viral distribution manner. “Eventually, the code overtakes the network and the bad guys lose control,” Meyers said.
The sinkhole collects data from the infected computers, such as IP address and operating system version. The statistics allowed indicated that more than 9,400 computers were running Windows 7, just a few hundred more than those running Windows XP.
Researchers are working with Internet service providers to identify the infected machines and help get the malware removed from them, according to Meyers.
It’s unclear who is behind Kelihos, he said. It was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers.
The latest Kelihos used servers with hosts registered in Sweden, Russia and Ukraine that were controlled by a botmaster, according to CrowdStrike. The command-and-control infrastructure used by the botnet was abandoned by the gang operating it two days after the researchers began hijacking it using the peer-to-peer feature, the company said.
Earlier this week, Microsoft announced that U.S.Marshals seized command-and-control servers used to control Zeus botnets that had been used to steal more than $100 million via 13 million infected computers.