Categories: SecurityWorkspace

Kelihos Botnet Back From The Grave

The Kelihos botnet, supposedly eradicated by Microsoft last autumn, is back from the dead and continuing to grow, according to security researchers.

In its Vipre report for February 2012, issued on Friday, GFI Software said the botnet has “continued to gain momentum in the wild”.

Spam botnet

“Capable of sending out billions of spam emails in a day, Kelihos has been used to bombard users with spam relating to pornography, Viagra, and fake pharmaceutical companies,” GFI said in a statement.

Swiss security blog abuse.ch said the new version of Kelihos is harder to attack due to its use of fast flux techniques. Fast flux is a DNS technique used by botnets to hide phishing and malware sites behind a constantly changing network of compromised hosts that act as proxies.

The old version of Kelihos used the cz.cc domain, but the new version uses the top-level domain .eu, according to abuse.ch.

“What pops up quickly is the fact that the domain names used by Kelihos are hosted on a FastFlux botnet,” abuse.ch researchers said in an analysis. “The delegated nameservers for the mentioned domain name are hosted on a FastFlux botnet as well. This is what we call double-flux.”

The botnet appears to be mainly located in eastern Europe, according to abuse.ch.

“Due to the fact that these domain names are using double-flux, it is extremely hard to shut them down (there is no webserver or DNS server to take down),” abuse.ch’s researchers wrote.

DNS takedown

Last September Microsoft attacked Kelihos by obtaining a court order that obliged Verisign to shut down 21 internet domains associated with the botnet. The use of fast-flux techniques means such a takedown would no longer work with the new version.

GFI also found that attacks making use of fake anti-virus applications were on the rise, following a dip at the end of last year.

“While the velocity at which rogues were successfully propagating may have slowed toward the end of last year, they are certainly back now, and they remain a popular tactic among cybercriminals,” said GFI senior threat researcher Christopher Boyd, in a statement.

Other significant incidents reported in GFI’s study included a compromise of the personal website of writer Stephanie Meyer, which resulted in malware being served to visitors, and the use of YouTube videos to target gamers with malicious downloads.

How well do you know Internet security? Try our quiz and find out!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

2 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago