The twice-shut-down Kelihos botnet remains active and continues
spamming with a new variant, despite yesterday’s efforts by Kaspersky
Lab and CrowdStrike that knocked offline and sinkholed the most recent version of the botnet.
According to a Seculert report,
the indomitable botnet is using a Facebook worm to continue spreading
itself and infecting new machines. Its command and control server is
still capable of communicating with other members of the botnet.
Researchers
at Seculert are reluctant to classify this as a ‘Kelihos.c’ (or three),
claiming instead that this is the same botnet. Seculert says that the
same criminals are still responsible for the network’s operation and,
furthermore, have the capacity to regain control over sinkholed machines
by using the Facebook worm mentioned above.
“…the sinkholed
machines are also installed with the Facebook worm which downloaded the
Kehilos.B botnet in the first place,” Seculert’s Aviv Raff told
Threatpost via email. “This means they might get an instruction to
re-install the Kehilos botnet again, but with the new configuration set
(as with the new infected bots).”
The news that Kelihos is “live and social,” as Seculert put it, is not altogether surprising. In an
email interview with Threatpost yesterday Tillmann Werner of CrowdStrike
and Marco Preuss of Kaspersky said they expected Kelihos would emerge
again, albeit not so soon.
Preuss today acknowledged the
appearance of the new Kelihos, but, contrary to Seculert’s analysis,
claims it is a different botnet.
“We confirm that a new
Hlux/Kelihos sample exists but it has a different configuration,” Preuss
explained via email, “which means it’s coming from a new Hlux botnet
(Hlux C). The previous generation (Hlux B) is under control by the
sinkhole server. It is not uncommon for new versions of botnets to
appear that are operated by the same group.”
Kasperksy identifies the Kelihos botnet as Hlux.
Preuss
went on to explain that the criminal group responsible has been
operating various versions of this botnet since 2007 (Storm, Waledac,
Hlux/Kelihos). It would be naive, he said, to think they wouldn’t create
a new botnet.
“Our sinkholing operations for Hlux A and B have
shown that our countermeasure efforts are successful,” Preuss went on,
“even if it’s just a temporary way to slow the group down.”
It
seems that the Kelihos.b vs. Kelihos.c discrepancy is merely a matter of
semantics between the researchers. However, Kaspersky Lab claims that
the criminals behind the bot are not capable of regaining access to
machines in the sinkhole, and that Seculert's claim of such a capability
is "not accurate."
Furthermore, Kasperky Lab's partner in the
takedown, CrowdStrike, authored a blog this morning refuting a point
made by Seculert. Bottom line, CrowdStrike claims, is this:
"There is no known means for the attacker to regain control over the sinkholed Kelihos.B machines at this point."
Courtesy Brain
No comments:
Post a Comment