Cisco Umbrella

Enterprise network security

Spotlight

Operation Kelihos: Presented at BotConf 2013

By Dhia Mahjoub

Nearly two weeks ago, the picturesque city of Nantes hosted “The First Botnet Fighting Conference” – BotConf’13 – on Dec 5th and 6th. This was a great event where researchers from the security industry, academia and law enforcement presented and discussed the latest findings and initiatives in fighting botnets and prosecuting the criminals behind them.

botconf-ico

Our Presentation:

As security researcher from Umbrella Labs at OpenDNS, and a member of MalwareMustDie, I was pleased to be part of the event. I teamed up with Hendrik Adrian (@unixfreaxjp), founder of MalwareMustDie, to give a talk detailing our campaign against the Kelihos Fast Flux Botnet. Our session consisted of multiple parts – in my section, I focused on the domain, IP monitoring and data analysis of different elements of the infrastructure of the botnet.

botconf-2013-talk-front

First, I described the different components of the fast flux monitoring system (which has been operational since early July and was presented at APWG eCrime 2013). Building this system was the outcome of successive studies on fast flux and Kelihos [1][2][3]. The system detects new Kelihos domains in real time, as soon as they trigger DNS traffic, which is made possible thanks to the large visibility of OpenDNS into Internet traffic. The system also monitors the growth of the botnet on a continuous basis.

We then shifted focus to show statistics and trends on various elements of the Kelihos botnet that stress the extent and actuality of this threat. Given a sample of 900+ Kelihos domains collected since mid-summer of 2013, we described the following features:

  • TLD distribution
  • Botnet geo-distribution
  • Botnet’s live hosts daily cycle
  • OS distribution
  • Daily detected Kelihos domains
  • Domains and IPs lifetime
  • Malware sample statistics and detection ratio

Some notable facts about the Kelihos botnet are:

  • 900+ fast flux domains and subdomains have been used by Kelihos malicious campaigns
  • The most abused TLDs have been .ru, .com, and .net
  • The Kelihos botnet has infected hosts in 100+ countries
  • The current size of Kelihos is about 44,000+ bots
  • 11,000+ IPs have hosted Kelihos domains
  • The most infected countries are Ukraine, Taiwan, Russia, Japan, and there are also infections in the US
  • 85% of bots are running Windows XP/Vista (from a sample)
  • A small number of Kelihos domains stayed active for nearly 2 months, acting as nameservers for other Kelihos domains, with the majority of domains having a lifetime of 1 day or less
  • A small number of botnet IPs stayed active for up to 3 months, and some were active even longer. These “zombie” IPs point out the real challenge of cleaning up infected machines. Some of these long lasting infected hosts are in universities. The majority of IPs had a lifetime of 1 day or less

Below, we show the geographical distribution of a snapshot of the botnet’s 40,000+ live hosts:

[load-javascript slug=”kelihos-live-bots-40k”]

In the figure below, we show the daily fluctuations of the number of live Kelihos bots over the first 2 weeks of December 2013. The daily cycle follows the time zone of Ukraine and Russia (UTC+2), i.e. the number of live bots peaks during busy computer usage hours, and drops during the night hours.

keli-daily-cycle-16-days

For the sake of visualization, the animations below show the daily cycle of live bots over a period of 2 weeks. The first animation is based on the IP infection maps of Kelihos followed by the world map view. These animations were a collaboration with my colleague @ThibaultReuille:

anim2

w_anim

Using the data collected while preparing this talk, Kelihos was also featured in OpenDNS Security Labs’ 2013 Most notable attacks visualization microsite.

The remaining parts of our BotConf presentation are greatly described in MalwareMustDie’s blog, in which @unixfreaxjp analyzed the weaknesses of Kelihos, which helped us investigate and infiltrate the botnet. We then disclosed the identity of the bad actor, and finally, discussed the best methodology to neutralize or slow down Kelihos by stopping the payload distribution from the CnCs to the bots. (Keep in mind that bad guys adapt and adjust their infrastructure and MO, so the fight is still on.)

Needless to say, the progress and good results achieved by “Operation Kelihos” would not have been possible without the outstanding collective work and efforts of the tireless members of MalwareMustDie.

The Conference:

Several blogs have been posted since last week that provide great recaps of BotConf’s busy two days. We encourage you to check them out: [4][5][6][7][8][9].

 combo

There were several talks that caught my attention and interest. Just to name a few:

  • Distributed Malware Proxy Networks – Brad Porter and Nick Summerlin
  • Spam and All Things Salty: Spambot v2013 – Jessa dela Torre
  • Using cyber intelligence to detect and localize botnets – Enrico Branca
  • Spatial Statistics as a Metric for Detecting Botnet C2 Servers – Etienne Stalmans and Barry Irwin
  • The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution – Sébastien Duquette
  • My Name is Hunter, Ponmocup Hunter – Tom Ueltschi
  • APT1: Technical Backstage – Paul Rascagnères
  • Europol and European law enforcement action against botnets – Jaap van Oss
  • DNS Resolution Traffic Analysis Applied to Bot Detection – Ronan Mouchoux
  • Exploit Krawler: New Weapon againt Exploits Kits – Sébastien Larinier and Guillaume Arcas
  • The hunter becomes the hunted – analyzing network traffic to track down botnets – Thomas Chopitea

I take my hat off to the organizers for the outstanding execution of the conference: “Un grand Bravo à Eric et co.” The speakers delivered excellent and high quality presentations. To all the attendees, I’d like to say, “Thank you for the great engaging discussions and the good time at the dinner parties!”