Khelihos P2P botnet rises from dead a third time

Interpol nabs 6 Anonymous members, researchers kill botnet. Botnet refuses to stay killed.


The arrests in February, which Interpol credited to good police work, international cooperation and intelligence-sharing, came primarily through "the use of spies and informants within the movement," according to complaints at the time from Spanish-speaking members of the Latin-American Anonymous forum Iberoamerica.

Khelihos Botnet killed again. Rises from dead, again.

An alliance of security experts from the Honeynet Project, Kaspersky, SecureWorks and startup CrowdStrike took down a network of more than 110,000 Windows PCs infected with the Khelihos worm, according to Krebs on Security.

Kelihos is designed to steal Bitcoin currency and to use zombie PCs to mass-mail spam advertising Internet pharmacies, so shutting it down should have an immediate effect on the volume of spam and phishing email circulating.

Originally named Storm, then Waledac, then Storm2, the Khelihos.B virus has been present and growing steadily since at least 2007, according to Krebs.

Unlike most botnets, which rely on a single set of command-and-control(CnC) servers for their marching orders, Khelihos builds a peer-to-peer (P2P) network among members of the botnet, which allows almost any subset of zombies to become CnC controllers if one set is shut down.

That makes the network as a whole much more difficult to identify, measure and shut down because any subset of its members can take over as relays for orders if others are eliminated.

It's a completely different network design than traditional viruses, one created specifically to keep the botnet safe from attempts from either law enforcement or rival botnets to shut them down or take them over.

Photo Credit: 


Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question