Revamp of Kelihos Botnet
Kelihos botnet was taken into control and destroyed during September 2011 by a joint effort under the supervision of Microsoft and Kaspersky Lab. The circulation of malware through this botnet was crushed by shutting down the C&C server and allowing the bots to come in contact with a sinkhole. However, news reported by HELP NET SECURITY on February 03, 2012 reminds of its revival once again.
New types of the malware have been detected instantly after the appearance of these botnet. However, the malware were publicly verified, and this time, spammers are using updated encryption mechanism and keys in order to conceal the bots' communication with the C&C server.
In case of the Kelihos peer-to-peer botnet, Kaspersky researcher are after finding out a new peer address, which the existing infected PC's are being surveyed for few instructions.
The main problem in this context is that the PC that contains Kelihos virus was still contaminated with its code and the controller of the botnet simply took the advantage of using the complicated infrastructure of the botnet and the proxy servers together with the communication nodes of the botnets to regain its lost control.
According to the Security Researcher and Education Manager, Ram Herkanaidu it was unfortunately illegal for the security experts to update the infected machine to clean them up, as published in TechEYE.net on February 3, 2012.
"It is impossible to counteract a botnet by overpowering the controller machine or replacing the list of the controller without any further actions. It is not unnatural that the botnet operator might be acquainted with the list of active path IP's can hook up with them unswervingly and force the updated bot to take up with the new controller's list, as explained by expertise researcher, Maria Garnaeva at Kaspersky, according to the news published in HELP NET SECURITY on February 03, 2012.
However, there also exists other new types of Kelihos utilizing advanced encryption for concealing the communication that takes place through the botnet controllers, as explained by Herkanaidu. According to Garnaeva, two types of RSA keys were utilized for encryption indicating that two kinds of groups are taking the charge of the Kelihos, reported Techworld on February 03, 2012.
The return of spam from the botnet indicates that sink holding alone is not effective in destroying botnet. Security experts were aware of the shortcoming at the beginning. However, Garnaeva suggested that only patching infected machine or taking botnet controller out of the circulation would definitely be effective, as published in news in The Register on February 03, 2012.
Related article: Revamp of ZBot Trojan Reveals MX Lab
» SPAMfighter News - 11-02-2012