This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

CrowdStrike researchers deny that Kelihos has spawned a new version

Share this article:

A new version of the Kelihos botnet was detected within minutes of the takedown of Kelihos.B last Wednesday.

According to Seculert, Kelihos was still being spread using a Facebook worm with communication with the command and control (C&C) server through other members of the botnet, meaning that the Kelihos.B botnet is still up and running.

“It is continuously expanding with new infected machines, and actively sending spam,” it said.

“Some might call this ‘a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer to this botnet as Kelihos.B.”

However, CrowdStrike, which along with Dell SecureWorks, the Honeynet Project and Kaspersky Labs brought down Kelihos.B, said it was continuing to monitor the C&C infrastructure that was partially live, but confirmed that the servers no longer speak the Kelihos.B protocol.

It said: “We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands.

“We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible with and thus completely separate from the Kelihos.B version sinkholed by us.”

It said that as Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, although thorough analysis of the dropper revealed no way to remotely command it.

Aviv Raff, CTO of Seculert, told SC Magazine US that this was likely to be some sort of pay-per-install service, with two different groups having joined together. “One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines,” he said.

David Harley, senior research fellow at ESET, said: “For the time being, the teams involved in the partial disabling of the Kelihos botnet have implemented another pretty good temporary fix. Sinkholing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system which is now under the control of the good guys.

“However, there's a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.

“It's important to distinguish between the botnet and the actual malware it's associated with, which may include several components and multiple variants and sub-variants. Unfortunately, tweaking and recompiling are trivial if you have the source code, which obviously the Kelihos gang do.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Turn off WPS on routers for WiFi security

Turn off WPS on routers for WiFi security ...

A Swiss researcher is advocating turning off WPS to secure routers after finding a flaw that eliminates the randomness of codes generated by some routers when WPS is switched on...

Apple's iCloud hacked, nude celeb photos posted

Apple's iCloud hacked, nude celeb photos posted

Questions have been raised about the security of Apple's iCloud service, after a hacker posted nude pictures of celebrities to the 4Chan forum, claiming they were obtained after a hack ...