Security researchers from Kaspersky Lab, Dell SecureWorks and other places generated a lot of headlines this week with their announcement that they had taken down a new version of the Kelihos peer-to-peer botnet.
In a March 28 post on Kasperskys SecureList blog, Stefan Ortloff, a security expert with the company, said that the sinkhole operationdesigned to draws infected computers away from the botnets command-and-control (C&C) server and out of reach of the botnets operatorswas successful in disabling the newest version of Kelihos, which was first discovered in January.
"After a short time, our sinkhole-machine increased its 'popularity' in the networkwhich means that a big part of the botnet only talks to a box under our control," Ortloff wrote. "We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys."
However, officials with other security software companies are doubtful that the operation was completely successful. It may have disrupted what the botnet operators were doing, but they said they already are seeing a third version of the Kelihos taking new avenues of distribution, including through Facebook.
Sinkholes and similar operations may slow down the Kelihos creators for a while, but until the people behind the botnets are taken out of the picture, more versions will show up, according to Gunter Ollmann, vice president of research for security software vendor Damballa.