Kelihos Cybercriminals Outsmart Security Experts

Dennis Faas's picture

Security experts at Kaspersky Lab, one of the leading anti-virus and computer security firms, recently announced they were able to take control of a hacker-built botnet containing more than 100,000 compromised computers.

Unfortunately, less than 24 hours after the successful takedown, Kelihos, the cybercriminal gang behind the botnet, has already started building a new, large-scale collection of compromised computers to replace the one taken down.

To stop the initial botnet, Kaspersky specialists used a method called "sinkholing."

This technique involves direct infiltration of the botnet's peer-to-peer (P2P) network so as to trick most of the computers in the botnet to switch its network settings so it communicates only with innocent or neutral computers.

Once a computer stops communicating with command and control computers under hacker control, it ceases to be part of the botnet.

Users of these computers can then be notified by security experts and advised to clean their computers of the botnet malware.

Botnet to Target Facebook

The latest incarnation of the Kelihos botnet combats this sinkholing by paying the creators of the Facebook worm to re-install their malware onto the same previously infected computers.

The Kelihos gang has figured a way to manipulate the Facebook worm so as to regain control of the computers so recently taken out of the botnet by Kaspersky.

Given the popularity of Facebook, the worm has already been able to compromise over 70,000 accounts in short order. (Source:

To bypass the effect of the sinkholing, Kelihos needs only to pay the worm's operators to re-infect previously compromised computers with the latest version of their malware.

'Sinkholing' Ineffective in Long Run

Naturally, this ability of the hackers to rebuild their botnets so quickly has raised some concerns over the effectiveness of sinkholing in the first place.

Many experts feel the process is simply not worthwhile in the long run, as it never really leads to a complete takedown of a botnet. In their view, sinkholing neither impacts the cybercriminals nor has any lasting effect on their botnets.

Nevertheless, Gunter Ollmann, vice president of research at security company Damballa, predicts that a new group of security researchers will emerge in an effort to take down the new Kelihos botnet with the same sinkholing tactic already proven by Kaspersky.

The result will be a kind of virtual game of "Whack a Mole," in which armies of botnets arise, are freed by sinkholing systems, and then regrow, in a never-ending game of one-upmanship between the good guys and the hackers. (Source:

Rate this article: 
No votes yet