Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet
Architecturehlux.png
Botnet Kelihos, Hlux
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 /
The date "28 septembre 2011" was not understood.
The date "28 septembre 2011" was not understood.
Editor/Conference Kaspersky lab
Link http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet (Archive copy)
Author Tillmann Werner
Type

Abstract

Earlier this week, Microsoft released an announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.


Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft’s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.
A key part of this effort is the sinkholing of the botnet. It’s important to understand that the botnet still exists – but it’s being controlled by Kaspersky Lab. In tandem with Microsoft’s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.

Bibtex

 @misc{Werner2011BFR843,
   editor = {Kaspersky lab},
   author = {Tillmann Werner},
   title = {Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet}},
 }