Issues Related to Kelihos’ Return

Senior researchers from ESET has confirmed recent reports about the return of Kelihos, the botnet which Kaspersky and Microsoft jointly shutdown in 2011. InfoSecurity published this dated March 12, 2012.

And though it isn't just any usual comeback, according to the security firm, it believes the original Kelihos bot-controller has intelligently retrieved his hold over the missing bot-infected computers.

Notably, rather than maintaining one central C&C (command-and-control) server, the Kelihos is designed to be one P2P (peer-to-peer) botnet. However, the researchers, who regard the shutdown as successful, think it improbable that the bot-controller through any simple way retrieved hold over the botnet.

The method Microsoft applied to takedown Kelihos was "sinkholing" wherein drones were diverted when they tried to receive commands from a server Microsoft operated, whereas Kaspersky overwhelmingly unleashed traffic to the peers, placing the online sinkhole device's Web-address in the field of every peer entry.

Moreover, ESET indicates that just as difficult its researchers realized about the botnet's shutdown, so must they find it that easy detecting Kelihos-contaminated PCs. This' attributed mainly to the malware, which seemingly ignores many RFCs and as a result make it enormously simple for spotting contaminated PCs within government and corporate networks. An immediate instance is where the HTTP GET enquiry is utilized alongside the heading, 'Content-Length.'

ESET states that the crime-syndicate began with the utilization of the identical source-code just like it occurred during transition to Kelihos from Waledac. InfoSecurity published this. Further according to ESET, it has witnessed clues of the spread of the recovered Kelihos through the Pay-Per-Install scheme, similar to the way Rootkit TDSS utilized, as also the utilization of other botnets towards helping in its proliferation.

Traditionally, the main activity of Kelihos is disseminating spam, particularly pharmaceutical and stock-scam oriented spam, although the botnet as well intercepts network traffic to steal FTP and HTTP credentials for additional spam and for scrutinizing victims' machines to harvest e-mail ids to which spam could be sent. Moreover, as spammers do not usually differentiate between work ids and home-users, therefore Web-surfers both at work and home must remain vigilant of catchy spam headers like in e-greeting cards.

Related article: ICC Cup Event Could Be Fodder for Phishers

» SPAMfighter News - 3/20/2012