This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

CrowdStrike researchers deny that Kelihos has spawned a new version

Share this article:

A new version of the Kelihos botnet was detected within minutes of the takedown of Kelihos.B last Wednesday.

According to Seculert, Kelihos was still being spread using a Facebook worm with communication with the command and control (C&C) server through other members of the botnet, meaning that the Kelihos.B botnet is still up and running.

“It is continuously expanding with new infected machines, and actively sending spam,” it said.

“Some might call this ‘a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer to this botnet as Kelihos.B.”

However, CrowdStrike, which along with Dell SecureWorks, the Honeynet Project and Kaspersky Labs brought down Kelihos.B, said it was continuing to monitor the C&C infrastructure that was partially live, but confirmed that the servers no longer speak the Kelihos.B protocol.

It said: “We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands.

“We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible with and thus completely separate from the Kelihos.B version sinkholed by us.”

It said that as Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, although thorough analysis of the dropper revealed no way to remotely command it.

Aviv Raff, CTO of Seculert, told SC Magazine US that this was likely to be some sort of pay-per-install service, with two different groups having joined together. “One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines,” he said.

David Harley, senior research fellow at ESET, said: “For the time being, the teams involved in the partial disabling of the Kelihos botnet have implemented another pretty good temporary fix. Sinkholing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system which is now under the control of the good guys.

“However, there's a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.

“It's important to distinguish between the botnet and the actual malware it's associated with, which may include several components and multiple variants and sub-variants. Unfortunately, tweaking and recompiling are trivial if you have the source code, which obviously the Kelihos gang do.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...