Several months ago, Microsoft helped take down a huge botnet called Kelihos. According to some reports, it’s back. Microsoft and Kaspersky have denied that it has returned, but does mention that there is a variant of the botnet and it very similar. Programmers like to reuse code when they can, and as the botnet was so successful, someone took the code and modified it to behave similar, but different enough to not be detected as the same botnet or malware.
What a mess these people cause. At least we have the good guys always on the job to help keep us safe from these online threats. Always be smart out there: don’t open attachments from Prince’s needing your account number, watch what you download, keep your machine patched and updated, and keep your antivirus up to date!
Contrary to some reports, Kaspersky and Microsoft have no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time. However, we have seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet. This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as “Backdoor:Win32/Kelihos.B” is being used to create a new botnet. Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT). This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.