All the latest UK technology news, reviews and analysis

Kelihos botnet returns from the dead stronger than ever, researchers warn

11 Feb 2013
Security padlock image

Security researchers have discovered a new and more dangerous version of the infamous Kelihos botnet operating in the wild.

Microsoft had claimed to have taken down the botnet in 2011 but Kaspersky researchers reported detecting the new version of Kelihos in a blog post on Monday.

"Researchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection," wrote Kaspersky's David Fisher.

The botnet now uses features known as fast-flux capabilities, which make it harder for security firms to identify the command and control servers.

Kaspersky said the Nap Trojan discovered by security firm FireEye last week is linked to the new Kelihos botnet.

"Researchers at FireEye and Deep End Research have been analysing new samples of the malware used in the Kelihos network and say that the botnet is back on the rise," wrote Fisher.

"Once the malicious code is on a machine, it calls out to a domain in Russia. The malware, known as Trojan Nap, then sets a specific parameter that will have the malware's operation timeout after 10 minutes."

The variant is the third version of Kelihos uncovered by researchers. Security vendors from Microsoft and Kaspersky attempted to take the original version down in 2011 by sinkholing the domains that Kelihos was using.

The tactic was meant to remove the attackers' ability to communicate with infected machines. The second takedown attempt in March 2012 used the same tactic.

The new version of Kelihos reportedly has the same money-making function as its predecessors.

"The malware is designed to perform a variety of different functions, including stealing passwords saved in browsers, sending spam, stealing passwords from various FTP applications and stealing BitCoin data," wrote Fisher.

"The domains used in the operation are located in Russia, and they resolve to a variety of different IP addresses each time a bot connects."

At the time of publishing Microsoft, Kaspersky and FireEye had not responded to V3's request for comment on the botnet, or whether they would be mounting a similar takedown attempt.

Kelihos is one of many botnets Microsoft has tried to take down. Last week the company reported successfully taking down the Bamital botnet.

Following the Bamital takedown Microsoft told V3 it was already planning further takedown missions.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Related jobs

Microsoft Azure outage

Is cloud computing reliable enough for business yet?

Popular Threads

Powered by Disqus
BlackBerry Q5

BlackBerry Q5 video demo

We take a look at BlackBerry's semi-affordable BB10 device

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Front End Developer - Drupal Themer - Contract

Front End Developer - Drupal Themer, 3 month contract...

Space Planning Assistant

Central London (Regent campus) Fixed Term until...

Xamarin Mobile Developer

We’re looking to recruit an innovative thinker who is...

Service Desk Analyst

Role summary As a Service Desk Analyst you will be...
To send to more than one email address, simply separate each address with a comma.