Kelihos Returns: Same Botnet or New Version?

The twice-shut-down Kelihos botnet remains active and continues spamming with a new variant, despite yesterday’s efforts by Kaspersky Lab and CrowdStrike that knocked offline and sinkholed the most recent version of the botnet.

The twice-shut-down Kelihos botnet remains active and continues spamming with a new variant, despite yesterday’s efforts by Kaspersky Lab and CrowdStrike that knocked offline and sinkholed the most recent version of the botnet.

According to a Seculert report, the indomitable botnet is using a Facebook worm to continue spreading itself and infecting new machines. Its command and control server is still capable of communicating with other members of the botnet.

Researchers at Seculert are reluctant to classify this as a ‘Kelihos.c’ (or three), claiming instead that this is the same botnet. Seculert says that the same criminals are still responsible for the network’s operation and, furthermore, have the capacity to regain control over sinkholed machines by using the Facebook worm mentioned above.

“…the sinkholed machines are also installed with the Facebook worm which downloaded the Kehilos.B botnet in the first place,” Seculert’s Aviv Raff told Threatpost via email. “This means they might get an instruction to re-install the Kehilos botnet again, but with the new configuration set (as with the new infected bots).”

The news that Kelihos is “live and social,” as Seculert put it, is not altogether surprising. In an email interview with Threatpost yesterday Tillmann Werner of CrowdStrike and Marco Preuss of Kaspersky said they expected Kelihos would emerge again, albeit not so soon.

Preuss today acknowledged the appearance of the new Kelihos, but, contrary to Seculert’s analysis, claims it is a different botnet.

“We confirm that a new Hlux/Kelihos sample exists but it has a different configuration,” Preuss explained via email, “which means it’s coming from a new Hlux botnet (Hlux C). The previous generation (Hlux B) is under control by the sinkhole server. It is not uncommon for new versions of botnets to appear that are operated by the same group.”

Kasperksy identifies the Kelihos botnet as Hlux.

Preuss went on to explain that the criminal group responsible has been operating various versions of this botnet since 2007 (Storm, Waledac, Hlux/Kelihos). It would be naive, he said, to think they wouldn’t create a new botnet.

“Our sinkholing operations for Hlux A and B have shown that our countermeasure efforts are successful,” Preuss went on, “even if it’s just a temporary way to slow the group down.”

It seems that the Kelihos.b vs. Kelihos.c discrepancy is merely a matter of semantics between the researchers. However, Kaspersky Lab claims that the criminals behind the bot are not capable of regaining access to machines in the sinkhole, and that Seculert’s claim of such a capability is “not accurate.”

Furthermore, Kasperky Lab’s partner in the takedown, CrowdStrike, authored a blog this morning refuting a point made by Seculert. Bottom line, CrowdStrike claims, is this:

“There is no known means for the attacker to regain control over the sinkholed Kelihos.B machines at this point.”

Suggested articles