Kelihos Botnet Back From The Grave

A new version of the Kelihos botnet is gaining momentum despite Microsoft’s efforts to uproot it last year

The Kelihos botnet, supposedly eradicated by Microsoft last autumn, is back from the dead and continuing to grow, according to security researchers.

In its Vipre report for February 2012, issued on Friday, GFI Software said the botnet has “continued to gain momentum in the wild”.

Spam botnet

“Capable of sending out billions of spam emails in a day, Kelihos has been used to bombard users with spam relating to pornography, Viagra, and fake pharmaceutical companies,” GFI said in a statement.

Swiss security blog abuse.ch said the new version of Kelihos is harder to attack due to its use of fast flux techniques. Fast flux is a DNS technique used by botnets to hide phishing and malware sites behind a constantly changing network of compromised hosts that act as proxies.

The old version of Kelihos used the cz.cc domain, but the new version uses the top-level domain .eu, according to abuse.ch.

“What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet,” abuse.ch researchers said in an analysis. “The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call double-flux.”

The botnet appears to be mainly located in eastern Europe, according to abuse.ch.

“Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down),” abuse.ch’s researchers wrote.

DNS takedown

Last September Microsoft attacked Kelihos by obtaining a court order that obliged Verisign to shut down 21 internet domains associated with the botnet. The use of fast-flux techniques means such a takedown would no longer work with the new version.

GFI also found that attacks making use of fake anti-virus applications were on the rise, following a dip at the end of last year.

“While the velocity at which rogues were successfully propagating may have slowed toward the end of last year, they are certainly back now, and they remain a popular tactic among cybercriminals,” said GFI senior threat researcher Christopher Boyd, in a statement.

Other significant incidents reported in GFI’s study included a compromise of the personal website of writer Stephanie Meyer, which resulted in malware being served to visitors, and the use of YouTube videos to target gamers with malicious downloads.

How well do you know Internet security? Try our quiz and find out!