Reprise for Kelihos Botnet

Tuesday, March 13, 2012 @ 03:03 PM gHale

Microsoft said it took down the Kelihos botnet last year, but like a bad horror show, it has re-emerged from the depths even stronger than before.

The resurgent Kelihos botnet is now capable of stealing credentials, installing malware and distributing millions of German stock-related spam messages, security researchers said.

Botnet Clients Integrate Exploit
New Botnet Goes to Market
Malware has Bots Acting as C&C Server
Stealth Trojan Hijacks DLL File

The new version of Kelihos is using a .eu domain in combination with fast flux techniques, said researchers at, a Swiss security blog.

Fast flux is a DNS technique used by botnet operators to mask malware hosting websites behind a constantly-changing network of compromised machines, which act as proxies.

Previously Kelihos used domains associated with the Czech Republic.

Security firm GFI also warned a new variant of Kelihos is on the loose, with those behind it seemingly intent on rebuilding the botnet.

“Despite the best efforts of Microsoft and a number of security specialists, the Kelihos Botnet has continued to gain momentum in the wild,” GFI said.

Microsoft said it had shut down the Kelihos botnet last September.

At the time, it said: “When Microsoft takes a botnet down, we intend to keep it down.”

Security firm Kaspersky Labs, which worked with Microsoft on the initial Kelihos takedown reported seeing new variants of the botnet as early as January 2012.

Microsoft and Kaspersky were not immediately available for comment.

Leave a Reply

You must be logged in to post a comment.