Kelihos botnet returns from the dead stronger than ever, researchers warn

Security researchers have discovered a new and more dangerous version of the infamous Kelihos botnet operating in the wild.

Microsoft had claimed to have taken down the botnet in 2011 but Kaspersky researchers reported detecting the new version of Kelihos in a blog post on Monday.

"Researchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection," wrote Kaspersky's David Fisher.

The botnet now uses features known as fast-flux capabilities, which make it harder for security firms to identify the command and control servers.

Kaspersky said the Nap Trojan discovered by security firm FireEye last week is linked to the new Kelihos botnet.

"Researchers at FireEye and Deep End Research have been analysing new samples of the malware used in the Kelihos network and say that the botnet is back on the rise," wrote Fisher.

"Once the malicious code is on a machine, it calls out to a domain in Russia. The malware, known as Trojan Nap, then sets a specific parameter that will have the malware's operation timeout after 10 minutes."

The variant is the third version of Kelihos uncovered by researchers. Security vendors from Microsoft and Kaspersky attempted to take the original version down in 2011 by sinkholing the domains that Kelihos was using.

The tactic was meant to remove the attackers' ability to communicate with infected machines. The second takedown attempt in March 2012 used the same tactic.

The new version of Kelihos reportedly has the same money-making function as its predecessors.

"The malware is designed to perform a variety of different functions, including stealing passwords saved in browsers, sending spam, stealing passwords from various FTP applications and stealing BitCoin data," wrote Fisher.

"The domains used in the operation are located in Russia, and they resolve to a variety of different IP addresses each time a bot connects."

At the time of publishing Microsoft, Kaspersky and FireEye had not responded to V3's request for comment on the botnet, or whether they would be mounting a similar takedown attempt.

Kelihos is one of many botnets Microsoft has tried to take down. Last week the company reported successfully taking down the Bamital botnet.

Following the Bamital takedown Microsoft told V3 it was already planning further takedown missions.