This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

CrowdStrike researchers deny that Kelihos has spawned a new version

Share this article:

A new version of the Kelihos botnet was detected within minutes of the takedown of Kelihos.B last Wednesday.

According to Seculert, Kelihos was still being spread using a Facebook worm with communication with the command and control (C&C) server through other members of the botnet, meaning that the Kelihos.B botnet is still up and running.

“It is continuously expanding with new infected machines, and actively sending spam,” it said.

“Some might call this ‘a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer to this botnet as Kelihos.B.”

However, CrowdStrike, which along with Dell SecureWorks, the Honeynet Project and Kaspersky Labs brought down Kelihos.B, said it was continuing to monitor the C&C infrastructure that was partially live, but confirmed that the servers no longer speak the Kelihos.B protocol.

It said: “We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands.

“We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible with and thus completely separate from the Kelihos.B version sinkholed by us.”

It said that as Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, although thorough analysis of the dropper revealed no way to remotely command it.

Aviv Raff, CTO of Seculert, told SC Magazine US that this was likely to be some sort of pay-per-install service, with two different groups having joined together. “One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines,” he said.

David Harley, senior research fellow at ESET, said: “For the time being, the teams involved in the partial disabling of the Kelihos botnet have implemented another pretty good temporary fix. Sinkholing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system which is now under the control of the good guys.

“However, there's a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.

“It's important to distinguish between the botnet and the actual malware it's associated with, which may include several components and multiple variants and sub-variants. Unfortunately, tweaking and recompiling are trivial if you have the source code, which obviously the Kelihos gang do.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.