Kelihos botnet, once crippled, now gaining strength

Microsoft and Kaspersky Lab are now seeing the botnet it shutdown in September coming back to life

A botnet that was crippled by Microsoft and Kaspersky Lab last September is spamming once again and experts have no recourse to stop it.

The Kelihos botnet only infected 45,000 or so computers but managed to send out nearly 4 billion spam messages a day, promoting, among other things, pornography, illegal pharmaceuticals and stock scams.

But it was temporarily corralled last September after researchers used various technical means to get the 45,000 or so infected computers to communicate with a "sinkhole," or a computer they controlled.

But the computers that comprised Kelihos were still infected with its code. Researchers knew that it would only be a matter of time before its controller used the botnet's complex infrastructure of proxy servers and communication nodes to regain control.

In fact, it happened shortly after the researchers intervened. Sinkholing the botnet was only a temporary solution.

"We could have issued an update to those machines to clean them up, but in several countries that would be illegal," said Ram Herkanaidu, security researcher and education manager for Kaspersky Lab.

Meddling with another person's computer could be considered a form of hacking, even with the best intentions of security researchers. Unfortunately, it appears that many of the machines infected with Kelihos are now controlled by the bad guys again.

There are also other new variants of Kelihos that are using updated forms of encryption to mask the communication with the botnet controllers, Herkanaidu said. Maria Garnaeva, a researcher with Kaspersky Lab, wrote that two different RSA keys are being used for encryption, which means it is possible two different groups are controlling Kelihos.

The resurrection of Kelihos comes as Microsoft last week amended a civil suit in the U.S. District Court for the Eastern District of Virginia to name a Russian man it believes is responsible for the botnet.

The man, Andrey N. Sabelnikov of St. Petersburg, freelanced for a software development company and formerly worked as a software engineer for a computer security software company.

After his name was widely published in media reports, Sabelnikov denied he was responsible and told the BBC, "I will prove my innocence."

Even if Sabelnikov is eventually criminally charged by U.S. prosecutors, Russia's constitution prohibits extradition of its own citizens.

Microsoft said it is working with Kaspersky on studying the latest Kelihos developments. The company remains committed to following its botnet cases and intends to hold those responsible accountable for their actions, said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, in a statement.

Send news tips and comments to jeremy_kirk@idg.com

More about: BBC, Creator, Kaspersky, Kaspersky Lab, Microsoft, RSA
References show all

Comments

1

ChrisG

Wed 08/02/2012 - 12:15

MIcrosoft updates computers all the time all over the world. That's not hacking, so why not get them to clean it up?

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the TechWorld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: kaspersky lab, Microsoft, security
Whitepapers
All whitepapers

Twitter Feed

Whitepapers

- + c

Latest News

- + c
more