As Bot-masters continue abundantly, the Kelihos Resurges

Researchers from Kaspersky Lab the security company disclose that the technique with which they stopped the Kelihos/Hlux bonnet from operating is called 'sinkholing,' which features certain advantages for itself, however, they simultaneously realized one thing i.e. incase the bot-masters continue to remain abundantly, they can re-build likewise networks of bots, reported Softpedia in news on January 31, 2012.

Kelihos, according to the researchers, has been found in new variants and they quite resemble the earlier build. However, one distinction is with respect to their communication protocol as well as their encryption method accompanied with the packaging pattern of their spam messages.

Accordingly, Kelihos' most recent version has an altered sequence for encrypting of activities wherein each of the operations occurs in the opposite direction while encrypting a spam mail. It's widely known that unlike crude binary data, the compression of text strings is relatively much more effective. The first hierarchy contains several strings like spam templates, e-mails and so on. Hence, there's no sense in utilizing zlib compression post the encoding of a hierarchy within the recent Kelihos/Hlux variant: the packaged messages grows in size devoid of any additional benefit. Seemingly, somebody got hold of Kelihos' source-code while simply wished for giving future bots a new appearance via rearranging the encryption stages, published SecureList dated January 31, 2012,

Furthermore, the newer variants reportedly, have altered encryption codes, which's pretty expectable. Subsequently, the RSA codes necessary for authorizing the hierarchy's portions, based on the controllers' Internet Protocol as well as update websites along with the matching, commonly available RSA codes inside the infected bots too underwent alteration.

Significantly, every hierarchy uses 2 separate RSA codes that suggest that possibly 2 separate groups own each code as well as control the botnet, presently.

In the end, the style of packaging is also distinct, as in the current version, each package contains the computed checksum of data within its header.

Nonetheless, according to Kaspersky researchers, deactivating a botnet wholly was just not possible via compromising the command-and-control servers rather the deactivation could best be done via identifying the persons operating the network, reported Softpedia.

Related article: Asia the new breeding ground for spam

» SPAMfighter News - 2/6/2012