CrowdStrike researchers deny that Kelihos has spawned a new version
A new version of the Kelihos botnet was detected within minutes of the takedown of Kelihos.B last Wednesday.
According to Seculert, Kelihos was still being spread using a Facebook worm with communication with the command and control (C&C) server through other members of the botnet, meaning that the Kelihos.B botnet is still up and running.
“It is continuously expanding with new infected machines, and actively sending spam,” it said.
“Some might call this ‘a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer to this botnet as Kelihos.B.”
However, CrowdStrike, which along with Dell SecureWorks, the Honeynet Project and Kaspersky Labs brought down Kelihos.B, said it was continuing to monitor the C&C infrastructure that was partially live, but confirmed that the servers no longer speak the Kelihos.B protocol.
It said: “We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands.
“We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible with and thus completely separate from the Kelihos.B version sinkholed by us.”
It said that as Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, although thorough analysis of the dropper revealed no way to remotely command it.
Aviv Raff, CTO of Seculert, told SC Magazine US that this was likely to be some sort of pay-per-install service, with two different groups having joined together. “One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines,” he said.
David Harley, senior research fellow at ESET, said: “For the time being, the teams involved in the partial disabling of the Kelihos botnet have implemented another pretty good temporary fix. Sinkholing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system which is now under the control of the good guys.
“However, there's a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.
“It's important to distinguish between the botnet and the actual malware it's associated with, which may include several components and multiple variants and sub-variants. Unfortunately, tweaking and recompiling are trivial if you have the source code, which obviously the Kelihos gang do.”