Kelihos botnet revives, waits for Microsoft Anti-Botnet Operation v. 3 to go back down

Microsoft needs to take a second shot at its greatest anti-cybercrime operation

The Kelihos botnet – one of the highest-volume spam sources ever and the anti-cybercrime success Microsoft liked to crow about most often after a joint effort with Kaspersky Lab took the botnet down – is back.

Microsoft and Kaspersky decapitated the botnet by temporarily taking over the command-and-control channel, and pointed all the bots at non-existent C-n-C servers instead.

Microsoft was so excited about the success it sometimes failed to mention that Kaspersky did most of the work.

That left them with no instructions on how to fill the world with spam, though the "takedown" had a big weakness: bot malware remained in the infected machines, leaving the mother of all backdoors open afterward.

It also didn't wipe out the network of proxy servers the botnet owners used to direct its activities without having responsibility tracked back to them.

Over time – very little time, actually – the botnet owners have spread a new version of the Kelihos malware and re-taken control over at least part of a network that once generated 3.8 billion spams per day.

Kaspersky researchers now say there are active command-and-control servers directing portions of the botnet, probably owned by two different groups of hackers, each using a different RSA key for authentication, according to The Register.

How long did it take to put the spam generation back in action?

Almost no time at all, according to Maria Garnaeva, an Kaspersky Lab Expert.

Kaspersky and Microsoft announced Sept. 28 that they'd disrupted the KelihosHlux botnet.

The new version of the malware that allowed the Kelihos masters to control the botnet appeared as early as Sept. 28 – the same day the two vendors announced they'd decapitated the network, according to Garnaeva.

Earlier this week Microsoft announced a programmer named Andrey Sabelnikov of St. Petersburg was behind the network.

Sabelnikov denies any involvement.

Garnaeva said it's not possible to permanently neutralize a botnet by cutting the link with C-n-C servers, without updating or replacing the botnet malware with something that can't be re-acquired by the spammers or permanently changing the machines' ability to connect to botnet servers, either by shutting down the servers or cleaning out the clients.

Microsoft, which bragged continually about its success, did neither.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies