Report: Kelihos botnet making a comeback - Update
Following a joint operation by Microsoft and Kaspersky Lab last September to disrupt Kelihos, the botnet is now said to be making a comeback and using new techniques. According to a report on Securelist, which is run by Kaspersky Lab, new samples of the Kelihos botnet have been discovered that appear to be "very similar to the initial version".
However, Kaspersky Lab researcher Maria Garnaeva says that comparing the new version of Kelihos with the original does reveal some changes. These include using a new order of operations for communication with the botnet controllers and using updated encryption keys. Garnaeva notes that, while changing keys is "quite predictable, two different RSA encryption keys are now being used which could possibly mean that two different groups are currently controlling Kelihos. "We believe that the most effective method to disable a botnet is finding the people who are behind it," said Garnaeva, adding that, "Let’s hope that Microsoft will carry out its investigation to the end".
While Kelihos was not as large as the Rustock botnet, it had reportedly infected more than 40,000 systems around the world and, at its peak, was capable of sending nearly 4 billion spam emails each day. Last week Microsoft's Digital Crimes Unit named Russian Andrey N. Sabelnikov, a software developer who allegedly used to work as a "software engineer and project manager at a company that provided firewall, antivirus and security software", as a new defendant in its case against the botnet's operators. Sabelnikov has since denied Microsoft's accusations and told the BBC, "I will prove my innocence". The case is ongoing.
Update - Microsoft has pointed out that, although similar to the Kelihos botnet, analysis of the new malware samples that Kaspersky reported on and "continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders". The original Kelihos botnet has shrunk to less than 10,000 infected systems estimates Microsoft, down from a peak of 41,000; it is not sharing statistics on the size of the new botnet but believes it is likely to be small.
(crve)