clock menu more-arrow no yes mobile

Filed under:

41,000-strong Kelihos botnet back from the dead (update: just a variant)

New, 9 comments

The 41,000-computer Kelihos botnet has re-appeared, according to a blog post by Kaspersky Lab's Maria Garnaeva. She goes on to say that an updated sinkholing strategy would again only temporarily disable the botnet.


The 41,000-computer botnet known as Kelihos (or Hlux, depending on who you ask), temporarily disabled by Microsoft and Kaspersky Lab in September, is back — and will likely keep coming back until the botnet master is found. A blog post by Kaspersky Lab’s Maria Garnaeva states that while the sinkholing strategy originally used to take down Kelihos provided a quick fix, “It is not very effective if the botnet’s masters are still at large.” Changes in the encryption and packaging of the botnet's messages mean that the original sinkholing approach is no longer effective, a new sinkhole would have to take these changes into account, and if the botnet master has a list of active router IPs, he or she can just push out another update and everyone’s back at square one.

Garnaeva goes on to say that the reincarnation appeared as early as September 28 — pretty much immediately after the botnet was initially taken down — adding that since two different RSA keys are being used that two different groups are "probably" in control. While an updated sinkhole would still be effective at disrupting the network (temporarily), Garnaeva is holding out hope that the people behind Kelihos are found. Microsoft alleges that Andrey Sabelnikov — a former security employee with Russian antivirus firm Agnitum — “wrote the code for and either created, or participated in creating, the Kelihos malware,” but Sabelnikov denies any wrongdoing.

Update: Microsoft and Kaspersky have clarified earlier statements. This is a new botnet based on the same code.