February 8, 2012

Botnet Similar to Kelihos is Active, but Kelihos itself Still Dead

 
Earlier today we (and may others on the web) reported that the 41,000 computers infected with the Kelihos botnet were still under control of the malware's creator despite Microsoft and Kaspersky's September attempt to "sinkhole" the botnet and render it ineffective. It turns out that the new botnet is actually a variant of Kelihos, possibly controlled by the same masters, but it is not identical to Kelihos — which still remains neutralized. The news comes from a blog post at Microsoft and a clarifying statement Kaspersky sent to Ars Technica. 
Microsoft's Richard Domingues Boscovich explains:
This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as "Backdoor:Win32/Kelihos.B" is being used to create a new botnet. Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT). This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.
If you haven't updated your "MSRT" in awhile, there's no time like the present. In the meantime, as Kaspersky's original blog post points out, these sorts of variants are bound to pop up again and again. Computer security experts will have to stay on top of issues patches, as always, but catching the original distributors of the botnet should also be on the table.