Stricken Kelihos botnet rises from the dead

The Kelihos botnet that Microsoft claimed to have taken down last year has re-emerged with a bag of new tricks aimed at rebuilding at infecting computers, according to security researchers.

They have warned that the resurgent Kelihos botnet is being used to steal credentials, install malware and distribute millions of German stock-related spam messages.

According to Swiss researchers at the Abuse.ch blog, the new version of Kelihos is using a .eu domain in combination with so-called fast flux techniques.

Fast flux is a DNS technique used by botnet operators to mask malware hosting websites behind an constantly-changing network of compromised machines, which act as proxies.

Previously Kelihos had used domains associated with the Czech Republic.

Security firm GFI has also warned that a new variant of Kelihos is on the loose, with those behind it seemingly intent on rebuilding the botnet.

“Despite the best efforts of Microsoft and a number of security specialists, the Kelihos Botnet has continued to gain momentum in the wild,” GFI warned.

Microsoft said it had shut down the Kelihos botnet last September.

At the time, it said: “When Microsoft takes a botnet down, we intend to keep it down.”

One of the people that Microsoft had accused of running Kelihos has strenuously denied involvement.

He recently told Gazeta.ru that despite having worked for an anti-virus firm, he did not have the technical expertise to develop a botnet.

“I specialise in interior design, architecture software systems,” he said according to a Google translation of the interview.

Security firm Kaspersky Labs, which worked with Microsoft on the initial Kelihos takedown reported seeing new variants of the botnet as early as January 2012.

V3 contacted Microsoft and Kaspersky for comment on the revelations but had received no reply at the time of publication.