This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

CrowdStrike researchers deny that Kelihos has spawned a new version

Share this article:

A new version of the Kelihos botnet was detected within minutes of the takedown of Kelihos.B last Wednesday.

According to Seculert, Kelihos was still being spread using a Facebook worm with communication with the command and control (C&C) server through other members of the botnet, meaning that the Kelihos.B botnet is still up and running.

“It is continuously expanding with new infected machines, and actively sending spam,” it said.

“Some might call this ‘a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer to this botnet as Kelihos.B.”

However, CrowdStrike, which along with Dell SecureWorks, the Honeynet Project and Kaspersky Labs brought down Kelihos.B, said it was continuing to monitor the C&C infrastructure that was partially live, but confirmed that the servers no longer speak the Kelihos.B protocol.

It said: “We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands.

“We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible with and thus completely separate from the Kelihos.B version sinkholed by us.”

It said that as Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, although thorough analysis of the dropper revealed no way to remotely command it.

Aviv Raff, CTO of Seculert, told SC Magazine US that this was likely to be some sort of pay-per-install service, with two different groups having joined together. “One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines,” he said.

David Harley, senior research fellow at ESET, said: “For the time being, the teams involved in the partial disabling of the Kelihos botnet have implemented another pretty good temporary fix. Sinkholing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system which is now under the control of the good guys.

“However, there's a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.

“It's important to distinguish between the botnet and the actual malware it's associated with, which may include several components and multiple variants and sub-variants. Unfortunately, tweaking and recompiling are trivial if you have the source code, which obviously the Kelihos gang do.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...