Security researchers have disabled the latest botnet created with Kelihos malware, stopping a 116,000-bot-strong operation devoted to Bitcoin hacking and other crimes. Announced today, the operation took place last week and was run by Kaspersky Lab, CrowdStrike, Dell SecureWorks, and the Honeynet Project.

While the first Kelihos botnet (also known as "Hlux") was taken down last September, an entirely new botnet using the same code was identified earlier this year.

In addition to spamming and distributed denial-of-service attacks, this latest botnet was capable of both stealing Bitcoin wallets from infected computers, and BitCoin mining, which uses the resources of victimized computers to make new Bitcoins.

CrowdStrike's senior research scientist Tillman Werner and Kaspersky Lab's head of global research and analysis for botnets Marco Preuss told reporters in a phone conference that their latest operation reveals some interesting facts about peer-to-peer botnets. For one, they say as peer-to-peer botnets grow larger, they become easier targets for sinkholing operations because peer lists injected into the botnet by "good guys" to redirect infected machines away from command and control servers propagate more quickly throughout a bigger network. They also found that, in the case of the latest Kelihos/Hlux botnet, 84 percent of infected machines were running Windows XP.

Unlike traditional centralized botnets, in which all infected PCs connect directly to command and control servers operated by criminals, the zombie computers in peer-to-peer botnets connect to each other. Command and control servers do exist, but they don't connect directly to the majority of the bots. The networks are self-organizing, with every member of the network able to act as a server and client, preventing the command-and-control server from being a single point of failure.

On March 21, the good guys started distributing a "special peer list with all entries pointing to our sinkhole system," Werner told reporters. Within 24 hours, 77,341 bots had connected to the sinkhole. Within six days, it was up to 116,000.

"It's not always true that bigger botnets are easier to take down, but if we're talking about a peer-to-peer botnet, a bigger botnet means the degree of interconnectivity amongst the bots is higher," Werner said. "You can think of it as an exponentially increasing propagation function. We inject our false information into a couple of bots and they pass it onto some more bots. The bigger the population is, the faster the distribution. If you compare the results from this takeover with the previous one, where the botnet was only about one-third of the size, this one went much much faster."

The latest sinkhole detected 44,295 unique IP addresses in its first 10 hours, compared with 11,550 in the first 10 hours of the earlier sinkhole. The number of IP addresses differs from the number of bots, but we weren't able to get a direct comparison for the number of bots captured in the first hours of the two sinkholes.

Windows XP machines target of most infections

The security firms were also able to determine the operating system used by each infected PC in the latest botnet. Windows XP dominated, with 84 percent of infections occurring on XP machines. Eight percent were Windows 7 machines without any service packs installed, and five percent were Windows 7 with Service Pack 1 installed. Windows Vista accounted for about two percent, and Windows Server 2003 was installed on a fraction of one percent of the machines. Service pack information was not available for XP machines, based on the data sent by the bots.

Windows XP security isn't as advanced as that in Vista and Windows 7, and XP still has a large installed base despite being more than a decade old. When asked why XP machines were so prevalent, the researchers said it's likely a matter of economics—botnet operators can pay other criminals to infect machines through so-called pay-per-install services, and the per-PC price for infecting XP machines is cheaper.

The price of infection also helps determine the location of bots. The researchers found that 24.5 percent of infections were in Poland, and 10.8 percent in the US, leading all other countries by a wide margin. For whatever reason, infected machines in Poland are cheaper than those in more central parts of Europe, said Preuss.

When Kaspersky took down the first Hlux/Kelihos botnet last year, the company explained that in peer-to-peer botnets, each bot keeps up to 500 peer records in a local peer list stored in the Windows registry, and this list is updated with peer information received from other bots. "The peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts," Kaspersky said. "The dynamic structure allows for fast reactions if irregularities are observed."

Once sinkhole began, the criminals gave up

However, the criminals behind the latest botnet barely resisted the takedown attempt. A few hours after the takedown operation began, a new version of the bot malware was distributed, though it did not help against the sinkholing. The criminals did not try to send out new peer lists, which could have, theoretically, been an effective countermeasure if enacted within ten to 15 minutes, according to the researchers.

"We haven't seen any counteractions by the gang whatsoever," Werner said. "it surprised us a little bit. In fact shortly after we sinkholed the botnet, they abandoned the command and control infrastructure."

"It's possible for them to respond and also propagate peer lists, but they didn't do it for the first one or the second one," Preuss said.

The takedown did not eliminate the bots themselves, however—the PCs that were part of the botnet are still infected. The researchers said that security companies are informing Internet service providers about the infections, but cannot legally take direct action to clean up the machines. But despite the continued infection of the PCs, at this point it would be nearly impossible to wrest control of the botnet away from the sinkhole.

"Whenever a bot connects to our sinkhole and sends the peer list over, we reply with the fake peer list again," Preuss said. "By doing so we make sure that all bots that ever connect to our sinkhole remain on the sinkhole, and they don't know any other peers anymore."

The sinkhole will remain active as long as necessary, Werner said.

There are likely hundreds of other botnets still out in the wild, so this is just a small contribution to Internet safety, Werner said. Kaspersky Lab is arguing that international legislation giving more power to cyber security professionals and law enforcement agencies are necessary to make a bigger impact on the botnet problem.

"Obviously we cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines," Kaspersky's Stefan Ortloff argued in a new blog post.

Over time, the number of infected machines hitting the sinkhole should slowly decrease. But "there is one other theoretical option to ultimately get rid of Hlux," Ortloff wrote. "We know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries."