If your email inbox or spam folder has ever received messages from shady Nigerian princes or ebullient Viagra salesmen, chances are it was sent there care of the Kelihos botnet, a massive network of infected computers that sends around 3.8 billion spam emails every day.
Kelihos is a modern example of these malicious networks, which took root in the '90s through worms spread via IRC networks. Once infected, each individual computer becomes a slave node — or 'zombie' — in the sprawling network, transmitting countless quantities of e-waste every day in hopes that some sucker will bite. They've also been used to rapidly spread viruses, and to mount DDoS attacks, presumably such as those perpetrated by hacktivist groups like Lulzsec and Anonymous which brought sites down by overloading servers with requests.
But taking down one of these spam-slinging behemoths is no easy task. Even when the network has been sufficiently tracked, it's difficult to identify the machine acting as the puppet master, or 'controller node.' The 'bot' nodes rarely ever talk to the source, instead receiving their instructions from other 'router' nodes in the network. So a good way to plug up these giant spam-gangs, as Microsoft's Kaspersky lab found out, is to create a 'sinkhole.'
The sinkhole is a false node introduced into the botnet that effectively quagmires the network by rerouting all traffic to itself using decrypted protocols. Eventually, say the engineers at Kaspersky, all the nodes will begin talking to their machine and only their machine. That's how they managed to bury Kelihos, which connects to over 3,000 infected machines every minute and around 40,000 machines total. But the fight's not over yet. Kelihos is essentially trapped, but it's still not disabled.
The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled. Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.
Interestingly, there is one other theoretical option to ultimately get rid of Kelihos: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.
Godspeed you brave spam assassins.