ESET senior research fellow David Harley has expanded on the recent reports that the Kelihos botnet, taken down by Microsoft and Kaspersky last year, has returned. It’s been known for some time, he says, with some “reports suggesting that the new version appeared almost as soon as Microsoft’s takedown was publicized.” But he doesn’t believe that this is a simple return of the original botnet, with the botmaster regaining control over his lost bots.
The original takedown happened when Microsoft redirected the Kelihos peer-to-peer drones to a system that Microsoft controlled, while Kaspersky flooded the peer lists, replacing all the peer entries with the address of the sinkhole server. ESET believes that this was successful. “We believe that the gang started over – similar to what happened with the transition from Waledac to Kelihos – but using the same base code.” ESET has seen evidence that the new Kelihos is spreading via the pay-per-install model, as used by the TDSS rootkit; and is using other botnets to aid its dissemination.
Further information on Kelihos is provided by the Swiss Security Blog Abuse.ch, which describes its P2P and fast flux structure and explains its ability to sniff the victim’s network traffic and steal credentials. Abuse.ch notes, however, “As hard as it is to take down this botnet, as easy it should be to detect computers infected with Kelihos.” The main reason is that the malware “seems to ignore several RFCs which makes it very easy to detect infected computers in corporate and governmental networks.” One example is the use of the HTTP GET request in combination with the Content-Length header. “Therefore,” notes the author, “it should be very easy to detect Kelihos in your network, just watch out for HTTP GET request containing the header field ‘Content-Length’.”
This won’t be so easy for the average home user. Harley notes, “Historically, Kelihos has been mostly associated with spam... Spammers don’t generally discriminate between home users and work addresses, so individuals should be looking out at home and at work for eye-catching spam such as greetings cards.” He believes that most AV companies are already watching the new Kelihos very closely, “so it’s systems that aren’t properly protected by AV that are most at risk.”