Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet
(Publication) Google search: [1]
Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet | |
---|---|
Botnet | Kelihos, Hlux |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2011 / 28 septembre 2011 |
Editor/Conference | Kaspersky lab |
Link | http://www.securelist.com/en/blog/208193137/Botnet Shutdown Success Story How Kaspersky Lab Disabled the Hlux Kelihos Botnet (Archive copy) |
Author | Tillmann Werner |
Type |
Abstract
“ Earlier this week, Microsoft released an announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.
Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft’s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.
A key part of this effort is the sinkholing of the botnet. It’s important to understand that the botnet still exists – but it’s being controlled by Kaspersky Lab. In tandem with Microsoft’s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR843, editor = {Kaspersky lab}, author = {Tillmann Werner}, title = {Botnet shutdown success story: how Kaspersky Lab disabled the Hlux/Kelihos botnet}, date = {Error: Invalid time.}, month = Error: Invalid time., year = {2011}, howpublished = {\url{http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet}}, }