Since botnets have grown to become one of the larger IT threats out there, researchers need to be able to find ways to neutralize them once they’re already active. One method that they use to do this is the sinkhole.
A sinkhole is computer that has all of the data reporting back to it instead of its original command and control server. In the case of the Kelihos botnet researchers at Microsoft had to reverse engineer the bot malware to send out new peer address routed to the sinkhole instead of the c&c server. Since the botnet didn’t connect directly to the command and control server but through a series router nodes, they were able to have the nodes start sending out the address for the sinkhole, instead of the c&c server. Given enough time most of the bots were then passing that address around the most instead of the its original server. Once the majority of the bots are reporting to the sinkhole the researchers are able to analyze the data from the botnet and more or less shut it down. I say more or less because while the botnet is now inactive, they still need to rely on the end user to remove the botnet malware from their computer. It will be interesting to see what methods malware developers come up with to counteract the sinkhole technique since they always seem to find away around them.