Kelihos Botnet Still at Work, Security Experts Say

While Kaspersky, Dell and others may have disrupted the Kelihos, experts with Seculert and Damballa say cyber-criminals are still spreading the botnet.

Security researchers from Kaspersky Lab, Dell SecureWorks and other places generated a lot of headlines this week with their announcement that they had taken down a new version of the Kelihos peer-to-peer botnet.

In a March 28 post on Kaspersky€™s SecureList blog, Stefan Ortloff, a security expert with the company, said that the €œsinkhole€ operation€”designed to draws infected computers away from the botnet€™s command-and-control (C&C) server and out of reach of the botnet€™s operators€”was successful in disabling the newest version of Kelihos, which was first discovered in January.

"After a short time, our sinkhole-machine increased its 'popularity' in the network€”which means that a big part of the botnet only talks to a box under our control," Ortloff wrote. "We also distributed a specially crafted list of job servers. This prevents the bots from requesting new commands from the malicious bot-herders. At this point, the bots can no longer be controlled by the bad guys."

However, officials with other security software companies are doubtful that the operation was completely successful. It may have disrupted what the botnet operators were doing, but they said they already are seeing a third version of the Kelihos taking new avenues of distribution, including through Facebook.

Sinkholes and similar operations may slow down the Kelihos creators for a while, but until the people behind the botnets are taken out of the picture, more versions will show up, according to Gunter Ollmann, vice president of research for security software vendor Damballa.