Kelihos – the botnet whose operation was disrupted last September by Microsoft and Kaspersky Lab by shutting down its C&C servers and making its bots contact a sinkhole instead – is back and working.
There’s not much the involved security specialists can do about it. Sinkholing it was a temporary measure, and they knew that sooner or later its botherders would be able to regain control of the bots.
The botnet is not back to its full strength of some 45,000 computers, but it is getting there, say the researchers.
New variants of the malware have been detected mere hours after the botnet takedown was publicly confirmed, and these variants are using updated encryption mechanisms and keys in order to hide the bots’ communication with the C&C servers.
“We could have issued an update to those machines to clean them up, but in several countries that would be illegal,” commented Ram Herkanaidu, a security researcher with Kaspersky Lab, for TechWorld.
“It is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions. The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list,” points out Kaspersky Lab Expert Maria Garnaeva.
News of the botnet’s resurrection comes after last week’s revelation of a suspected Kelihos malware author/ botnet operator, who has denied the charges laid against him.