Kelihos Botnet Still at Work, Security Experts Say

By Jeffrey Burt  |  Posted 2012-03-30

Kelihos Botnet Still at Work, Security Experts Say

Security researchers from Kaspersky Lab, Dell SecureWorks and other places generated a lot of headlines this week with their announcement that they had taken down a new version of the Kelihos peer-to-peer botnet.

In a March 28 post on Kaspersky€™s SecureList blog, Stefan Ortloff, a security expert with the company, said that the €œsinkhole€ operation€”designed to draws infected computers away from the botnet€™s command-and-control (C&C) server and out of reach of the botnet€™s operators€”was successful in disabling the newest version of Kelihos, which was first discovered in January.

"After a short time, our sinkhole-machine increased its 'popularity' in the network€”which means that a big part of the botnet only talks to a box under our control," Ortloff wrote. "We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys."

However, officials with other security software companies are doubtful that the operation was completely successful. It may have disrupted what the botnet operators were doing, but they said they already are seeing a third version of the Kelihos taking new avenues of distribution, including through Facebook.  

Sinkholes and similar operations may slow down the Kelihos creators for a while, but until the people behind the botnets are taken out of the picture, more versions will show up, according to Gunter Ollmann, vice president of research for security software vendor Damballa.

Some Compare Botnet Takedowns to a Game of Whack-a-Mole


€œLike I€™ve said before, if you€™re going to take down a botnet, you have to take out the criminals at the top,€ Ollmann wrote in a March 29 blog. €œIt€™s the only way. Taking out the infrastructure they depend upon for distributing new infectious material and C&C is a disruption technique€”a delaying tactic, if you will, and maybe an evidence-building process if you€™re lucky. In the case of P2P-based botnets, there€™s very little infrastructure you can get your hands on€”and you€™ll probably end up having to issue commands to botnet victim devices€”which is fraught with legal and ethical problems.€

The problem, he said, is that such operations like sinkholes essentially become a game of whack-a-mole€”security companies may stop or slow one botnet, but another version will quickly pop up somewhere else. And there are tools that the cyber-criminals operating peer-to-peer P2P botnets can use to avoid efforts like sinkholes. With all that, it€™s difficult to agree that the Kelihos botnet has been taken down€”twice.

€œIt would be more precise to say that certain Kelihos campaigns have been disrupted,€ Ollmann wrote. €œThe criminals (and their core infrastructure) haven€™t been significantly affected. In fact, the speed at which the Kelihos criminal gang was able to release an updated variant (Kelihos.C) reflects the futility of much of the current takedown effort.€

A day after Kaspersky€™s Ortloff wrote about the sinkhole operation against Kelihos, officials at cyber-threat management firm Seculert said in a blog post that they were seeing the Kelihos botnet continuing to spread through Facebook. They had discovered the social strain of the botnet a few weeks earlier, and that as of this week, it had infected more than 70,000 Facebook users, mostly in Poland and the United States.

The new Kelihos variant€”which the Seculert official were still referring to as Kelihos.B€”is leveraging a known social worm malware first noted in April 2011. The social worm malware sends out a message to all the victim's friends, directing them to a URL that includes a photo album link. The link actually downloads a malicious file, which at the time was fake antivirus software. The malware also creates a dummy blog at, which then redirects more traffic to it, according to Seculert.

€œUnfortunately, at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm,€ the Seculert officials wrote. €œAlso, there is still communication activity of this malware with the command-and-control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam.€

They doubted that this is a new variant, or a Kelihos.C. €œAs the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B,€ they wrote.

Rocket Fuel