Kaspersky Lab Experts reveal that the method they utilized to bring down the botnet, the sinkholing method, has its advantages, but they admit that if the masters are still at large, they can set up similar botnets.
And this is exactly what they did. Not long after the world learned of the good guys’ victory, researchers found new samples that appeared very similar to the initial version.
One of the differences between the two variants is in the communication protocol and the way it encrypts and packages Kelihos/Hlux messages.
In the newer version, the order of the encrypting operations was changed, and since this makes no sense as there aren’t any advantages, experts believe that someone obtained the source code and modified the order of encryption stages to make it look different.
Also concerning encryption, the later samples were found to have different encryption keys and RSA keys. However, this is a more predictable move and since there are two different RSA keys, it’s very likely that two groups are in possession of each of the keys, allowing them to control the botnet.
The tree structure of the old Kelihos is pretty much the same, except for the fact that the hash algorithm for the fields’ name is no longer used, the names now being composed of 1-2 characters.
The last difference is in the way packets are formed. Now, every packet includes the calculated data checksum in its header.
Kaspersky researchers concluded that it was impossible to completely neutralize a botnet just by taking over the control of the controller machines, instead, the most effective way to disable a botnet being the identification of the individuals running it.