The new Kelihos version is larger than the one shut down in September. However, one security firm believes it is still propagating itself via Facebook.
researchers from Kaspersky Lab, Dell SecureWorks and other organizations have
essentially disabled a newer version of the Kelihos botnet, which Kaspersky and
others helped shut down in September 2011.
Kelihos version, first discovered in January
, was armed with new
features that made it more dangerous than the initial botnet, according to
researchers at Kaspersky. The peer-to-peer botnet also was significantly
larger, compromising almost three times as many computers as the first.
The group of
researchersnot only from Kaspersky and Dell, but also CrowdStrike and the
Honeynet Projectstudied the new Kelihos for a couple of months, and on March
21 began to take it down with a similar "sinkhole" operation designed
to draw the infected computers away from the botnet's command-and-control
server and out of reach of the botnet's operators.
operation did its job, according to Stefan Ortloff, a security expert at
short time, our sinkhole-machine increased its 'popularity' in the
networkwhich means that a big part of the botnet only talks to a box under our
control," Ortloff said in a March 28 post on Kaspersky's SecureList
. "We also distributed a specially crafted list of job
servers. This prevents the bots from requesting new commands from the malicious
bot-herders. At this point, the bots can no longer be controlled by the bad
Microsoft, SurfNET and Kyrus Tech used similar techniques in September 2011 in
an effort code-named Operation b79
to take down the original Kelihos
botnetalso known as Hluxby grabbing control of its command-and-control
infrastructure. At the time, Kelihos was seen as a smaller botnet, infecting
about 41,000 computers. However, it also was effective, generating upwards of 4
billion spam messages per day. These included stock spans, adult content,
illegal pharmaceuticals and malware, according to Microsoft.
believe the original Kelihos was built by the same people responsible for the
Waledac bot, which Microsoft shut down in March 2011. After disabling the
original Kelihos botnet, Microsoft went after
the suspected creators,
suing them in court and publishing their names.
version of Kelihos was detected in January, and Kaspersky researchers found it
had "significant changes in the communication protocol and new 'features'
like flash-drive infection [and] bitcoin-mining wallet theft," Kaspersky's
It also was
much larger; after six days of operation, it already had infected as many as
116 computers, the security software firm said.
all in the security field are convinced the threat from the new Kelihos version
is over. According to cyber-threat management firm Seculert, the botnetwhich
officials there dubbed Kelihos.Bhas found a new way to propogate itself:
through Facebook. In a March 29 blog post
, Seculert officials said
Kelihos.B was leveraging a well-known social worm malware that researchers
first warned the industry about in April 2011.
worm malware would send out a message to all the victim's friends directing
them to a URL that included a photo album link. The link would actually
download a malicious file, which at the time was fake antivirus software. The
malware also created a dummy blog at Blogger.com, which then redirected more
traffic to it, according to Seculert.
is currently using the same photo album worm to spread their own malware via
Facebook," the company said in its blog. "This may bring back
questions about the identity and the origin of the Kelihos botnet and recent
trends of collaboration between cyber-criminal groups."
officials said they'd been able to identify more than 70,000 Facebook users
that are infected with the Facebook worm, with the bulk of those users being in
Poland and the United States. They noted Kaspersky's sinkhole operation and the
shutting down of the Kelihos.B botnet, though they added they were skeptical
that Kaspersky and its partners were able to shut it down completely.
at the time of this writing, Seculert can still see that Kelihos is being
spread using the Facebook worm," the officials wrote. "Also, there is
still communication activity of this malware with the command-and-control
servers through other members of the botnet. This means that the Kelihos.B
botnet is still up and running. It is continuously expanding with new infected
machines and actively sending spam."
consider this a new variant, for Kelihos.C, but "as the new infected
machines are operated by the same group of criminals, which can also regain
access to the sinkholed bots through the Facebook worm malware, we believe that
it is better to still refer this botnet as Kelihos.B," they said.
Ortloff said that a few hours after the security researchers started their
latest sinkhole takedown operation, the Kelihos "herders tried
to take countermeasures by rolling out a new version of their bot. We also
noticed that the bot-herders stopped their network from sending out spam and
DDoS-[distributed denial of service] attacks. Also the botnets'
fast-flux-network list remains empty since a few hours."
six days of the operation, Kaspersky researchers now have more than 116,000
infected machines connected to their sinkhole.