We're not in a hole. A lot of companies would like to be in our hole - Scott 'touch'n'feely' McNealy
SECURITY FIRMS have banded together to take down the second incarnation of the Hlux or Kelihos botnet.
The companies - including Kaspersky Lab, the Crowdstrike Intelligence Team, Dell Secureworks and the Honeynet Project - said that this version was almost three times the size of its predecessor and had infected computers numbering in the six figures.
The Russian security firm Kaspersky Lab said that so far over 100,000 computer infections have been neutralised. By comparison, the earlier Kelihos botnet infestation that was shut down by Kaspersky, Microsoft and others had only 40,000 machines under its spell.
The two botnets are similar though, and Kaspersky said that this version was operating in the wild along with the first. It added that although they share coding, this version has a number of updates, including Bitcoin thievery and other sticky fingered attacks.
"Similar to the first version, the second botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets," it added.
A sinkholing operation that drew the botnet in one direction was used to shut down the botnet, and that was started in earnest on 19 March. Now Kaspersky says it has rendered the botnet inoperable.
"Last week, we set up worldwide distributed machines for this sinkholing operation and on Wednesday, March 21, we finally began the synchronized propagation of our sinkhole IP-adress to the peer-to-peer network. After a short time, our sinkhole-machine increased its 'popularity' in the network - which means that big part of the botnet only talks to a box under our control," said the firm in a blog post to its Securelist web site.
"After six days, we now have more than 116,000 bots connecting to our sinkhole." µ
Sign up for INQbot – a weekly roundup of the best from the INQ