Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Kelihos botnet dead but malware evolved, say Microsoft and Kaspersky

But new botnet-building malware illustrates 'incredibly frustrating' job of destroying criminal infrastructure, adds Symantec

Article comments

Microsoft insist the Kelihos botnet is dead despite reports last week suggesting otherwise; but the company acknowledged that a new botnet is being assembled using a variant of the original malware.

The reappearance of a Kelihos-like army of hijacked computers shows just how difficult it is to eradicate a botnet, security experts said yesterday.

"It's not possible in most cases," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. "What you're going for is disruption more than anything."

Liam O Murchu, manager of operations at Symantec's security response team, agreed and said that there was only one way to insure a botnet's death.

"If you get to the people behind it through arrests and convictions, that will be the most successful," said O Murchu. "But international borders and the lack of cross-country cooperation makes that a difficult road to go down."

New Kelihos malware

Kelihos was taken offline last September when Microsoft, using a federal court order, led efforts to shut down domains used by the command-and-control (C&C), severing links between the compromised computers and their order-giving master. Microsoft identified the alleged botmaster as a Russian programmer, Andrey Sabelnikov, in an amended complaint last week.

Sabelnikov, who worked for a pair of security companies from 2005 to late 2011, has proclaimed his innocence .

Talk of a Kelihos resurrection was sparked last week by Kaspersky, which said it had found signs of new malware built on the Kelihos code. The implication was that Kelihos had returned from the dead and was again spamming users.

Not so, said Richard Boscovich, a senior attorney in Microsoft's Microsoft digital crimes unit.

"Kaspersky has reported no loss of control of the Kelihos peer-to-peer operations and Microsoft researchers have confirmed this week that the original Kelihos C&C and backup infrastructure remains down, but it appears a new botnet infrastructure may be being built with the new variant of Kelihos malware," Boscovich said at the start of the year .

Kaspersky confirmed that yesterday.

Disruptive strategies

"The botnet we took down is still under control and infected machines are not receiving commands from the C&C centre, so they are not sending spam," said Alex Gostev, chief security expert at Kaspersky. "But new samples which are monitored by us continue to get orders from spammers and send spam so far. It means that we are dealing with another botnet."

The appearance of that new botnet illustrates the difficulty researchers, software vendors and authorities have in exterminating a botnet, something that Boscovich, who cited several takedown successes, acknowledged.

"Taking down a single threat has never been Microsoft's ultimate goal in our fight against botnets," said Boscovich. "Rather, we hope to transform the fight against cybercrime by developing, testing and advancing impactful and disruptive strategies. This is a long-term effort."

New botnets based on old-and-offline predecessors are not unusual: As Boscovich noted, the original Kelihos was probably developed using code for Waledac, a botnet that Microsoft and others brought down two years ago.

"We don't see who is behind each botnet, what we see is an evolution," said O Murchu. "A botnet brought down in some way may disappear for some months, but then reappear. In many cases, it's unclear if it's the same group or they sold their code to others to modify."

Waledac and Koobface

The struggle to eliminate a botnet has analogies in the non-digital world, said Schouwenberg. "It's like a big drug arrest where hundreds of kilos of cocaine are seized," he said. "It's damaging to the criminals, but it doesn't put them out of business."

The ideal solution is to find, arrest and prosecute botnet makers and operators, both Schouwenberg and O Murchu said. But that's not easy.

"It's a frustrating task," said O Murchu. "Researchers often know who is behind a botnet, but to get action taken can take an incredibly long time. That's incredibly frustrating."

Schouwenberg and O Murchu each cited as an example the claim last month that several Russian hackers were responsible for the Koobface botnet. The five men identified by security experts as the brains behind the botnet have yet to be arrested or charged.

But the experts believed that takedowns are worthwhile, even if those efforts aren't completely effective.

"If the fear of being caught isn't applicable, then the best thing we can do is hit the 'reset' button for the bad guys, and make them start over with a new botnet," said Schouwenberg.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *