Characterisation of the Kelihos.B Botnet

  • Max Kerkers
  • José Jair Santanna
  • Anna Sperotto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8508)

Abstract

Botnets are organized networks of infected computers that are used for malicious purposes. An example is Kelihos.B, a botnet of the Kelihos family used primarily for mining bitcoins, sending spam and stealing bitcoin wallets. A large part of the Kelihos.B botnet was sinkholed in early 2012 and since then bots are sending requests to controlled servers. In this paper, we analyze and characterize the behavior of Kelihos. B. Our analysis is based on the log file of the bot request logged at the sinkhole from March 2012 to early November 2013. We investigate both the overall characteristics of the botnets, as well as on its evolution over time since the time of the sinkholing. Our results indicate that, although this trend is decreasing, there are possibly still newly infected bots even more than a year from the original sinkholing.

Keywords

Botnet Kelihos.B Hlux2 Characterisation Sinkhole 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Elliott, C.: Botnets: To what extent are they a threat to information security? Information Security Technical Report 15(3), 79–103 (2010)CrossRefGoogle Scholar
  2. 2.
    Ortloff, S.: FAQ: Disabling the new Hlux/Kelihos Botnet (2012), http://www.securelist.com/en/blog/208193438/FAQ_Disabling_the_new_Hlux_Kelihos_Botnet (accessed April 2014)
  3. 3.
    Kerkers, M.: Characterisation of the Kelihos.B Botnet. In: 20th Twente Student Conference on IT, University of Twente (2014)Google Scholar
  4. 4.
    Werner, T.: P2P Botnet Kelihos.B with 100.000 Nodes Sinkholed (2012), http://www.crowdstrike.com/blog/p2p-botnet-kelihosb-100000-nodes-sinkholed/index.html (accessed April 2014)
  5. 5.
    Stefan Ortloff: Sinkholing the Hlux/Kelihos botnet - what happened? (August 2013), https://www.securelist.com/en/blog/208214147/Sinkholing_the_Hlux_Kelihos_botnet_what_happened (accessed April 2014)
  6. 6.
    Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the Zeus botnet crimeware toolkit. In: 8th Annual International Conference on Privacy Security and Trust (PST), pp. 31–38. IEEE (2010)Google Scholar
  7. 7.
    Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: SoK: P2PWNED-Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: IEEE Symposium on Security and Privacy (SP), pp. 97–111. IEEE (2013)Google Scholar
  8. 8.
    Werner, T.: Botnet Shutdown Success Story: How Kaspersky Lab Disabled the Hlux/Kelihos Botnet (2011), http://www.securelist.com/en/blog/208193137/Botnet_Shutdown_Success_Story_How_Kaspersky_Lab_Disabled_the_Hlux_Kelihos_Botnet (accessed April 2014)
  9. 9.
    Knowles, R., Stevens, A.: How Kaspersky Lab and CrowdStrike Dismantled the Second Hlux/Kelihos Botnet: Success Story (2012), http://www.kaspersky.com/about/news/virus/2012/How_Kaspersky_Lab_and_CrowdStrike_Dismantled_the_Second_Hlux_Kelihos_Botnet_Success_Story (accessed April 2014)
  10. 10.
    Raff, A.: Kelihos. B is still live and social (March 2012), https://www.seculert.com/blog/2012/03/kelihosb-is-still-live-and-social.html (accessed April 2014)
  11. 11.
    Adamov, A.: A Modification of Kelihos Looks for Passwords Stored in Internet Browsers (March 2013), http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/a-modification-of-kelihos-looks-for-passwords-stored-in-internet-browsers (accessed April 2014)
  12. 12.
    Adamov, A.: Update on Kelihos Botnet (August 2013), http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/update-on-kelihos-botnet-august-2013 (accessed April 2014)
  13. 13.
    MaxMind: MaxMind GeoIP Database (2013), http://www.maxmind.com/en/geolocation_landing (accessed April 2014)
  14. 14.
    Ritz, R.: incf.countryutils (2009), https://pypi.python.org/pypi/incf.countryutils (accessed April 2014)
  15. 15.
    Asghari, H.: PyASN 1.2 (March 2010), https://code.google.com/p/pyasn/downloads/detail?name=PyASN-1.2.zip (accessed April 2014)

Copyright information

© International Federation for Information Processing 2014

Authors and Affiliations

  • Max Kerkers
    • 1
  • José Jair Santanna
    • 1
  • Anna Sperotto
    • 1
  1. 1.Design and Analysis of Communication Systems (DACS)University of TwenteEnschedeThe Netherlands

Personalised recommendations