Kaspersky says: Kelihos Botnet Related Activity Declines Despite taken in March 2012

Kaspersky Lab recently published a research journal highlighting the disabling of the second version of the kelihos (a.k.a., Hlux) botnet. Kaspersky teamed up with CrowdStrike, the Honeynet Project and Dell SecureWorks back in March 2012, and since then, the combined efforts of the team coupled with subsequent eradication efforts have been successful in reducing the related botnet activity.

According to a blog on 12th November, 2013 by Stephan Ortloff, Security Researcher of Kaspersky Lab, on securelist.com, Kaspersky has been successful in achieving what it expected. According to him, the botnet is getting smaller and smaller. The victims have been disinfecting or reinstalling their PCs time and again. According to the lab, presently there were around 1,000 unique bots in a month on an average, which are much less in number from around 116,000 bots an year ago.

It has been observed that about 86% of botnet today is composed of malware-infected systems running Windows XP, Windows 7 comprises 7%, and Windows Server 2008 R2 comprises of 4%. Further, it has been observed that about 44% of infected clients are located in Poland.

Softpedia.com published a report on 13th November 2013 stating that the report of Kaspersky Lab aroused a sharp retort from Hendrik "Rick" Adrian of Whitehat security research firm named MalwareMustDie. According to the firm, Kaspersky have provided misleading figures.

According to experts, the number of infections is much higher than 1,000. The experts claim that around 52000 of the infections are in Ukraine,18000 in Russia,9800 in Japan, 6000 in India and around 4600 in Taiwan.

MalwareMustDie published a report on Seclists.org on 13th November, 2013, according to which the growth is still happening. Suspending and sinkholing of new domains used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) is still taking place on time-to-time basis with total exceeding 800+ domains from 6th August to yesterday (12th November, 2013)."

It is not clear that who is behind these Kelihos infections but a huge portion of infrastructure of the attack traces to Russia. In the first week of November 2013, MalwareMustDie posted a Pastbin explaining the relationship between the domains which are used to serve Kelihos payloads and the RedKit exploit kit. According to MalwareMustDie, most of Redkit infections includes a JavaScript injection script which points the infected PC to a site based in Russia. Further, it has been noted that the site uses the same infrastructure as the Kelihos botnet.

» SPAMfighter News - 11/23/2013