Friday, September 30, 2011

Sinkholed

Kapersky Labs just sunk a wicked spam botnet called Kelihos in the
ongoing struggle against these nefarious creatures. You can't kill a
botnet because you'd have to remove it from every infected computer and
that's not gonna happen. So what computer security labs like Kapersky do
is something called "sinkholing", where the botnet is coerced to talk
exclusively to their servers instead of its intended control servers,
effectively giving the new host control over the botnet. A kind of
hijacking:

"This Monday, we started to propagate a special peer address. Very soon,
this address became the most prevalent one in the botnet, resulting in
the bots talking to our machine, and to our machine only. Experts call
such an action sinkholing - bots communicate with a sinkhole instead of
its real controllers. At the same time, we distributed a specially
crafted list of job servers to replace the original one with the
addresses mentioned before and prevent the bots from requesting
commands. From this point on, the botnet could not be commanded
anymore."

No comments: