• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

Operation Kelihos: Presented at BotConf 2013

Author avatar of Dhia MahjoubDhia Mahjoub
Updated — March 18, 2020 • 4 minute read
View blog >

Nearly two weeks ago, the picturesque city of Nantes hosted “The First Botnet Fighting Conference” – BotConf’13 – on Dec 5th and 6th. This was a great event where researchers from the security industry, academia and law enforcement presented and discussed the latest findings and initiatives in fighting botnets and prosecuting the criminals behind them.

botconf-ico

Our Presentation:

As security researcher from Umbrella Labs at OpenDNS, and a member of MalwareMustDie, I was pleased to be part of the event. I teamed up with Hendrik Adrian (@unixfreaxjp), founder of MalwareMustDie, to give a talk detailing our campaign against the Kelihos Fast Flux Botnet. Our session consisted of multiple parts – in my section, I focused on the domain, IP monitoring and data analysis of different elements of the infrastructure of the botnet.

botconf-2013-talk-front

First, I described the different components of the fast flux monitoring system (which has been operational since early July and was presented at APWG eCrime 2013). Building this system was the outcome of successive studies on fast flux and Kelihos [1][2][3]. The system detects new Kelihos domains in real time, as soon as they trigger DNS traffic, which is made possible thanks to the large visibility of OpenDNS into Internet traffic. The system also monitors the growth of the botnet on a continuous basis.

We then shifted focus to show statistics and trends on various elements of the Kelihos botnet that stress the extent and actuality of this threat. Given a sample of 900+ Kelihos domains collected since mid-summer of 2013, we described the following features:

  • TLD distribution
  • Botnet geo-distribution
  • Botnet’s live hosts daily cycle
  • OS distribution
  • Daily detected Kelihos domains
  • Domains and IPs lifetime
  • Malware sample statistics and detection ratio

Some notable facts about the Kelihos botnet are:

  • 900+ fast flux domains and subdomains have been used by Kelihos malicious campaigns
  • The most abused TLDs have been .ru, .com, and .net
  • The Kelihos botnet has infected hosts in 100+ countries
  • The current size of Kelihos is about 44,000+ bots
  • 11,000+ IPs have hosted Kelihos domains
  • The most infected countries are Ukraine, Taiwan, Russia, Japan, and there are also infections in the US
  • 85% of bots are running Windows XP/Vista (from a sample)
  • A small number of Kelihos domains stayed active for nearly 2 months, acting as nameservers for other Kelihos domains, with the majority of domains having a lifetime of 1 day or less
  • A small number of botnet IPs stayed active for up to 3 months, and some were active even longer. These “zombie” IPs point out the real challenge of cleaning up infected machines. Some of these long lasting infected hosts are in universities. The majority of IPs had a lifetime of 1 day or less

Below, we show the geographical distribution of a snapshot of the botnet’s 40,000+ live hosts:

[load-javascript slug=”kelihos-live-bots-40k”]

In the figure below, we show the daily fluctuations of the number of live Kelihos bots over the first 2 weeks of December 2013. The daily cycle follows the time zone of Ukraine and Russia (UTC+2), i.e. the number of live bots peaks during busy computer usage hours, and drops during the night hours.

keli-daily-cycle-16-days

For the sake of visualization, the animations below show the daily cycle of live bots over a period of 2 weeks. The first animation is based on the IP infection maps of Kelihos followed by the world map view. These animations were a collaboration with my colleague @ThibaultReuille:

anim2

w_anim

Using the data collected while preparing this talk, Kelihos was also featured in OpenDNS Security Labs’ 2013 Most notable attacks visualization microsite.

The remaining parts of our BotConf presentation are greatly described in MalwareMustDie’s blog, in which @unixfreaxjp analyzed the weaknesses of Kelihos, which helped us investigate and infiltrate the botnet. We then disclosed the identity of the bad actor, and finally, discussed the best methodology to neutralize or slow down Kelihos by stopping the payload distribution from the CnCs to the bots. (Keep in mind that bad guys adapt and adjust their infrastructure and MO, so the fight is still on.)

Needless to say, the progress and good results achieved by “Operation Kelihos” would not have been possible without the outstanding collective work and efforts of the tireless members of MalwareMustDie.

The Conference:

Several blogs have been posted since last week that provide great recaps of BotConf’s busy two days. We encourage you to check them out: [4][5][6][7][8][9].

 combo

There were several talks that caught my attention and interest. Just to name a few:

  • Distributed Malware Proxy Networks – Brad Porter and Nick Summerlin
  • Spam and All Things Salty: Spambot v2013 – Jessa dela Torre
  • Using cyber intelligence to detect and localize botnets – Enrico Branca
  • Spatial Statistics as a Metric for Detecting Botnet C2 Servers – Etienne Stalmans and Barry Irwin
  • The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution – Sébastien Duquette
  • My Name is Hunter, Ponmocup Hunter – Tom Ueltschi
  • APT1: Technical Backstage – Paul Rascagnères
  • Europol and European law enforcement action against botnets – Jaap van Oss
  • DNS Resolution Traffic Analysis Applied to Bot Detection – Ronan Mouchoux
  • Exploit Krawler: New Weapon againt Exploits Kits – Sébastien Larinier and Guillaume Arcas
  • The hunter becomes the hunted – analyzing network traffic to track down botnets – Thomas Chopitea

I take my hat off to the organizers for the outstanding execution of the conference: “Un grand Bravo à Eric et co.” The speakers delivered excellent and high quality presentations. To all the attendees, I’d like to say, “Thank you for the great engaging discussions and the good time at the dinner parties!”

Suggested Blogs

  • Hitachi’s SASE: How Umbrella & Duo Delivered Identity and Security December 13, 2022 2 minute read
  • Why Using DNS for Protection Should Be Your First Line of Defense September 1, 2022 2 minute read
  • New Security for a World Where Everyone and Everything Are Connecting August 30, 2022 3 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella