Kelihos botnet revives, waits for Microsoft Anti-Botnet Operation v. 3 to go back down

Microsoft needs to take a second shot at its greatest anti-cybercrime operation

By  

The Kelihos botnet – one of the highest-volume spam sources ever and the anti-cybercrime success Microsoft liked to crow about most often after a joint effort with Kaspersky Lab took the botnet down – is back.

Microsoft and Kaspersky decapitated the botnet by temporarily taking over the command-and-control channel, and pointed all the bots at non-existent C-n-C servers instead.

Microsoft was so excited about the success it sometimes failed to mention that Kaspersky did most of the work.

That left them with no instructions on how to fill the world with spam, though the "takedown" had a big weakness: bot malware remained in the infected machines, leaving the mother of all backdoors open afterward.

It also didn't wipe out the network of proxy servers the botnet owners used to direct its activities without having responsibility tracked back to them.

Over time – very little time, actually – the botnet owners have spread a new version of the Kelihos malware and re-taken control over at least part of a network that once generated 3.8 billion spams per day.

Kaspersky researchers now say there are active command-and-control servers directing portions of the botnet, probably owned by two different groups of hackers, each using a different RSA key for authentication, according to The Register.

How long did it take to put the spam generation back in action?

Almost no time at all, according to Maria Garnaeva, an Kaspersky Lab Expert.

Kaspersky and Microsoft announced Sept. 28 that they'd disrupted the KelihosHlux botnet.

The new version of the malware that allowed the Kelihos masters to control the botnet appeared as early as Sept. 28 – the same day the two vendors announced they'd decapitated the network, according to Garnaeva.

Earlier this week Microsoft announced a programmer named Andrey Sabelnikov of St. Petersburg was behind the network.

Sabelnikov denies any involvement.

Photo Credit: 

Reuters

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question