A team of security experts cooperating globally say they've disabled a large botnet of about 110,000 remotely controlled infected machines dubbed HLux.B/Kelihos.B by interfering in its peer-to-peer connections in a "poisoning" process to sinkhole them, cutting off the botnet's central control point.
Kaspersky Lab, Dell SecureWorks, Crowdstrike Intelligence Team and the Honeynet Project all had a hand in monitoring and disabling the botnet. There's speculation that it was created by the same gang that created the first Hlux/Kelihos bot that was shot down with help fromMicrosoft's Digital Crimes Unit, with others, last September.
Crowdstrike's senior research scientist Tillmann Werner and Kaspersky Lab's global head of research in Germany, Marco Preuss, discussed how the sinkholing operation against HLux.B proceeded, cautioning that the sinkhole can probably be maintained indefinitely, but that more than 100,000 computers around the world are still infected.
The Hlux.B/Kelihos botnet has been used for spam, denial-of-service attacks and "spying on credentials" on victims' computers, noted Werner. About one quarter of the 110,000 or more infected machines appear to be in Poland, with about 10% in the U.S., and the reminder elsewhere around the world, including Turkey, Spain, India and Argentina.