February 02, 2012, 2:27 PM — The Kelihos botnet – one of the highest-volume spam sources ever and the anti-cybercrime success Microsoft liked to crow about most often after a joint effort with Kaspersky Lab took the botnet down – is back.
Microsoft and Kaspersky decapitated the botnet by temporarily taking over the command-and-control channel, and pointed all the bots at non-existent C-n-C servers instead.
Microsoft was so excited about the success it sometimes failed to mention that Kaspersky did most of the work.
That left them with no instructions on how to fill the world with spam, though the "takedown" had a big weakness: bot malware remained in the infected machines, leaving the mother of all backdoors open afterward.
It also didn't wipe out the network of proxy servers the botnet owners used to direct its activities without having responsibility tracked back to them.
Over time – very little time, actually – the botnet owners have spread a new version of the Kelihos malware and re-taken control over at least part of a network that once generated 3.8 billion spams per day.
Kaspersky researchers now say there are active command-and-control servers directing portions of the botnet, probably owned by two different groups of hackers, each using a different RSA key for authentication, according to The Register.
How long did it take to put the spam generation back in action?
Almost no time at all, according to Maria Garnaeva, an Kaspersky Lab Expert.
Kaspersky and Microsoft announced Sept. 28 that they'd disrupted the KelihosHlux botnet.
The new version of the malware that allowed the Kelihos masters to control the botnet appeared as early as Sept. 28 – the same day the two vendors announced they'd decapitated the network, according to Garnaeva.
Earlier this week Microsoft announced a programmer named Andrey Sabelnikov of St. Petersburg was behind the network.