• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-SASE-madness_021721
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Spotlight

Operation Kelihos: Presented at BotConf 2013

By Dhia Mahjoub
Posted on December 18, 2013
Updated on March 18, 2020

Share

Facebook0Tweet0LinkedIn0

Nearly two weeks ago, the picturesque city of Nantes hosted “The First Botnet Fighting Conference” – BotConf’13 – on Dec 5th and 6th. This was a great event where researchers from the security industry, academia and law enforcement presented and discussed the latest findings and initiatives in fighting botnets and prosecuting the criminals behind them.

botconf-ico

Our Presentation:

As security researcher from Umbrella Labs at OpenDNS, and a member of MalwareMustDie, I was pleased to be part of the event. I teamed up with Hendrik Adrian (@unixfreaxjp), founder of MalwareMustDie, to give a talk detailing our campaign against the Kelihos Fast Flux Botnet. Our session consisted of multiple parts – in my section, I focused on the domain, IP monitoring and data analysis of different elements of the infrastructure of the botnet.

botconf-2013-talk-front

First, I described the different components of the fast flux monitoring system (which has been operational since early July and was presented at APWG eCrime 2013). Building this system was the outcome of successive studies on fast flux and Kelihos [1][2][3]. The system detects new Kelihos domains in real time, as soon as they trigger DNS traffic, which is made possible thanks to the large visibility of OpenDNS into Internet traffic. The system also monitors the growth of the botnet on a continuous basis.

We then shifted focus to show statistics and trends on various elements of the Kelihos botnet that stress the extent and actuality of this threat. Given a sample of 900+ Kelihos domains collected since mid-summer of 2013, we described the following features:

  • TLD distribution
  • Botnet geo-distribution
  • Botnet’s live hosts daily cycle
  • OS distribution
  • Daily detected Kelihos domains
  • Domains and IPs lifetime
  • Malware sample statistics and detection ratio

Some notable facts about the Kelihos botnet are:

  • 900+ fast flux domains and subdomains have been used by Kelihos malicious campaigns
  • The most abused TLDs have been .ru, .com, and .net
  • The Kelihos botnet has infected hosts in 100+ countries
  • The current size of Kelihos is about 44,000+ bots
  • 11,000+ IPs have hosted Kelihos domains
  • The most infected countries are Ukraine, Taiwan, Russia, Japan, and there are also infections in the US
  • 85% of bots are running Windows XP/Vista (from a sample)
  • A small number of Kelihos domains stayed active for nearly 2 months, acting as nameservers for other Kelihos domains, with the majority of domains having a lifetime of 1 day or less
  • A small number of botnet IPs stayed active for up to 3 months, and some were active even longer. These “zombie” IPs point out the real challenge of cleaning up infected machines. Some of these long lasting infected hosts are in universities. The majority of IPs had a lifetime of 1 day or less

Below, we show the geographical distribution of a snapshot of the botnet’s 40,000+ live hosts:

[load-javascript slug=”kelihos-live-bots-40k”]

In the figure below, we show the daily fluctuations of the number of live Kelihos bots over the first 2 weeks of December 2013. The daily cycle follows the time zone of Ukraine and Russia (UTC+2), i.e. the number of live bots peaks during busy computer usage hours, and drops during the night hours.

keli-daily-cycle-16-days

For the sake of visualization, the animations below show the daily cycle of live bots over a period of 2 weeks. The first animation is based on the IP infection maps of Kelihos followed by the world map view. These animations were a collaboration with my colleague @ThibaultReuille:

anim2

w_anim

Using the data collected while preparing this talk, Kelihos was also featured in OpenDNS Security Labs’ 2013 Most notable attacks visualization microsite.

The remaining parts of our BotConf presentation are greatly described in MalwareMustDie’s blog, in which @unixfreaxjp analyzed the weaknesses of Kelihos, which helped us investigate and infiltrate the botnet. We then disclosed the identity of the bad actor, and finally, discussed the best methodology to neutralize or slow down Kelihos by stopping the payload distribution from the CnCs to the bots. (Keep in mind that bad guys adapt and adjust their infrastructure and MO, so the fight is still on.)

Needless to say, the progress and good results achieved by “Operation Kelihos” would not have been possible without the outstanding collective work and efforts of the tireless members of MalwareMustDie.

The Conference:

Several blogs have been posted since last week that provide great recaps of BotConf’s busy two days. We encourage you to check them out: [4][5][6][7][8][9].

 combo

There were several talks that caught my attention and interest. Just to name a few:

  • Distributed Malware Proxy Networks – Brad Porter and Nick Summerlin
  • Spam and All Things Salty: Spambot v2013 – Jessa dela Torre
  • Using cyber intelligence to detect and localize botnets – Enrico Branca
  • Spatial Statistics as a Metric for Detecting Botnet C2 Servers – Etienne Stalmans and Barry Irwin
  • The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution – Sébastien Duquette
  • My Name is Hunter, Ponmocup Hunter – Tom Ueltschi
  • APT1: Technical Backstage – Paul Rascagnères
  • Europol and European law enforcement action against botnets – Jaap van Oss
  • DNS Resolution Traffic Analysis Applied to Bot Detection – Ronan Mouchoux
  • Exploit Krawler: New Weapon againt Exploits Kits – Sébastien Larinier and Guillaume Arcas
  • The hunter becomes the hunted – analyzing network traffic to track down botnets – Thomas Chopitea

I take my hat off to the organizers for the outstanding execution of the conference: “Un grand Bravo à Eric et co.” The speakers delivered excellent and high quality presentations. To all the attendees, I’d like to say, “Thank you for the great engaging discussions and the good time at the dinner parties!”

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella