While Kaspersky, Dell and others may have disrupted the Kelihos, experts with Seculert and Damballa say cyber-criminals are still spreading the botnet.
researchers from Kaspersky Lab, Dell SecureWorks and other places generated a
lot of headlines this week with their announcement that they had taken down a new version of the Kelihos
In a March 28
post on Kasperskys SecureList
, Stefan Ortloff, a security expert with the company, said
that the sinkhole operationdesigned to draws infected computers away from
the botnets command-and-control (C&C) server and out of reach of the
botnets operatorswas successful in disabling the newest version of Kelihos,
which was first discovered in January.
short time, our sinkhole-machine increased its 'popularity' in the
networkwhich means that a big part of the botnet only talks to a box under our
control," Ortloff wrote. "We also distributed a specially crafted
list of job servers. This prevents the bots from requesting new commands from
the malicious bot-herders. At this point, the bots can no longer be controlled
by the bad guys."
officials with other security software companies are doubtful that the
operation was completely successful. It may have disrupted what the botnet
operators were doing, but they said they already are seeing a third version of
the Kelihos taking new avenues of distribution, including through Facebook.
similar operations may slow down the Kelihos creators for a while, but until
the people behind the botnets are taken out of the picture, more versions will
show up, according to Gunter Ollmann, vice president of research for security
software vendor Damballa.