All the latest UK technology news, reviews and analysis


Kelihos botnet returns from the dead stronger than ever, researchers warn

11 Feb 2013
Security padlock image

Security researchers have discovered a new and more dangerous version of the infamous Kelihos botnet operating in the wild.

Microsoft had claimed to have taken down the botnet in 2011 but Kaspersky researchers reported detecting the new version of Kelihos in a blog post on Monday.

"Researchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection," wrote Kaspersky's David Fisher.

The botnet now uses features known as fast-flux capabilities, which make it harder for security firms to identify the command and control servers.

Kaspersky said the Nap Trojan discovered by security firm FireEye last week is linked to the new Kelihos botnet.

"Researchers at FireEye and Deep End Research have been analysing new samples of the malware used in the Kelihos network and say that the botnet is back on the rise," wrote Fisher.

"Once the malicious code is on a machine, it calls out to a domain in Russia. The malware, known as Trojan Nap, then sets a specific parameter that will have the malware's operation timeout after 10 minutes."

The variant is the third version of Kelihos uncovered by researchers. Security vendors from Microsoft and Kaspersky attempted to take the original version down in 2011 by sinkholing the domains that Kelihos was using.

The tactic was meant to remove the attackers' ability to communicate with infected machines. The second takedown attempt in March 2012 used the same tactic.

The new version of Kelihos reportedly has the same money-making function as its predecessors.

"The malware is designed to perform a variety of different functions, including stealing passwords saved in browsers, sending spam, stealing passwords from various FTP applications and stealing BitCoin data," wrote Fisher.

"The domains used in the operation are located in Russia, and they resolve to a variety of different IP addresses each time a bot connects."

At the time of publishing Microsoft, Kaspersky and FireEye had not responded to V3's request for comment on the botnet, or whether they would be mounting a similar takedown attempt.

Kelihos is one of many botnets Microsoft has tried to take down. Last week the company reported successfully taking down the Bamital botnet.

Following the Bamital takedown Microsoft told V3 it was already planning further takedown missions.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Microsoft Azure outage

Is cloud computing reliable enough for business yet?
13%
5%
13%
69%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Treasury Support Analyst - Banking - City of London - £58K

Treasury Support Analyst - Banking - City of London...

Customer Service Development Lead

Customer Service Development Lead About Elsevier...

Network Support Engineer

Network Support Specialist required for our Hampshire...

Data Scientist (Relocate to Bangkok)

Data Scientist (Bangkok) - FULL RELOCATION AND VISA SPONSORSHIP...

To send to more than one email address, simply separate each address with a comma.