New Kelihos Botnet Variant "Backdoor:Win32/Kelihos.B" in Circulation, Microsoft

Responding to the some recent reports regarding whether the Kelihos botnet, which was taken down in September 2011 by Microsoft with Kyrus Tech Inc. and Kaspersky Lab, has been resurrected -- In a February 3 blog post, Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit -- said however, "we've seen evidence of distribution of […]

Kelihos Botnet variant Backdoor:Win32/Kelihos.B in circulationResponding to the some recent reports regarding whether the Kelihos botnet, which was taken down in September 2011 by Microsoft with Kyrus Tech Inc. and Kaspersky Lab, has been resurrected -- In a February 3 blog post, Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit -- said however, "we've seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet."

Adding, he said, "this doesn't mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as "Backdoor:Win32/Kelihos.B" is being used to create a new botnet."

Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT).

He furthert notes, "confusing media reports about the status of the botnet developed this week following a post from Kaspersky Labs that new samples of malware, built on code that is very similar to that used by Kelihos, had been detected. However, analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders."

In terms of the scope of the threat, he notes, "at the time of the takedown, the Kelihos botnet was estimated to include approximately 41,000 infected computers worldwide. However, since the time of the takedown, we know MSRT alone has cleaned nearly 28,000 infected computers." "Based on Kaspersky's analysis this week, they estimate that the size of the botnet has gone down by approximately 25 percent in just the last two months. Since the time of the original takedown in September, we estimate that the botnet is less than a quarter of the size it was and now involves less than 10,000 infected computers," he said.

"We have no statistics to share at this time with respect to the size of the new botnet in development, but while those numbers are likely small as well, it's a threat we'll continue to monitor. We're also continuing our efforts to clean the computers that are infected with all known forms of Kelihos malware, including this new variant," added Domingues Boscovich.

This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.

Botnet