How Microsoft and Kaspersky Labs Neutralized a Spam Botnet

Botnets are feared not only for what they can do, but also for their resiliant nature (they're virtually impossible to completely disband). Still, Microsoft and Kaspersky Labs teamed up recently to foil a particularly malevolent botnet called Kelihos. Here's how.

Kelihos is a botnet that, at its peak, was sending 4 billion spam messages a day. According to the security blog ThreatPost, the botnet wasn't so much shut down as it was "sinkholed." The botnet is still operational, but it's 100% controlled by Kaspersky Labs (who, by the way, failed to receive recognition from Microsoft for their efforts). Botnets of course, function by infecting computers of random people with internet connections, then using those compromised machines to do their evil bidding over a private peer-to-peer network. Kaspersky gained control of the botnet by getting the machines to talk to their servers more than the actual botnet servers.

This Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing – bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore.

But here's the tricky part: since Kaspersky can't shut down each individual infected computer, they can't shutdown the botnet. They think they could have the botnet push an update to every machine that would remove the infection and shutdown the network, but they say such a move is quite illegal. Oh well! [ThreatPost]

Image Credit: James Cridland/(CC BY 2.0)