Kelihos/Hlux botnet returns with new techniques

It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages – it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.

Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:

Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:

Old Hlux New Hlux
1 Blowfish with key1 Blowfish with new key1
2 3DES with key2 Decompression with Zlib
3 Blowfish with key3 3DES with new key2
4 Decompression with Zlib Blowfish with new key3

Read more: Kelihos/Hlux botnet returns with new techniques

Story added 9. March 2012, content source with full text you can find at link above.