Connect with us

Hi, what are you looking for?



Kelihos Botnet Update Shows Challenges Facing Takedown Efforts

UPDATE: Not too long ago, Microsoft and other security researchers were heralding the fall of the Kelihos botnet. It appears now however that whoever is behind the malware may still be in business.

UPDATE: Not too long ago, Microsoft and other security researchers were heralding the fall of the Kelihos botnet. It appears now however that whoever is behind the malware may still be in business.

Botnet shutdowns via sinkholing – where researchers redirect the malicious traffic from each bot to a server under their control – have become a prominent weapon in the fight against spammers. However, while sinkholing as its advantages, evidence that the Kelihos malware has been updated shows the method has its limitations when cyber-criminals stay at large, argued Kaspersky Lab analyst Maria Garnaeva.

According to Kaspersky Lab, new malware samples very similar to the malware used to build the original Kelihos botnet were detected shortly after last fall’s takedown efforts. There were some differences however. For one, the botnet’s malware was detected with a different order of operations for the encryption and packing of messages in the communication protocol. The updated malware also takes a more accurate approach to forming the packets in which every packet (both incoming and outgoing) includes the calculated data checksum in its header. In addition, the encryption keys were changed.

“Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet,” Garnaeva wrote in a blog post. “The controllers list in the new version remained almost the same and slightly changed over time.”

Though the malware appears to be an update of Kelihos, both Kaspersky Lab and Microsoft clarified that the Kelihos botnet itself is not back in action. 

“In fact, it is believed that Kelihos itself may have been built based at least in part on code from Waledac, the first botnet Microsoft took down,” blogged Richard Domingues Boscovich, senior attorney for the Microsoft Digital Crimes Unit. “Malware authors often recycle previous versions of malware. The challenge for the ‘good guys’ is to stay on top of such emerging threats and continue to build protections for computer owners and strategies for further cybercrime disruption.”

The news comes a week after Microsoft took the step of publicly naming the man they say is behind the botnet, Andrey N. Sabelnikov of St. Petersburg, Russia. Sabelnikov’s name was added to a civil suit the company filed in an effort to take the botnet down. However, the Russian programmer has denied any involvement.

Advertisement. Scroll to continue reading.

“I am absolutely not guilty, have never been involved in handling botnets or any other similar programs and what is more have never made any profit from such activity,” he wrote in a blog post. “I want to highlight that I have no connection either to the activity of Kelihos or to the distribution of spam.”

At its peak, the botnet controlled tens of thousands of computers, and is reputed to have sent out nearly 4 billion spam messages on a daily basis. The new botnet is getting orders from spammers and is sending spam in different languages. According to Garnaeva, the controllers list in the new version remains almost the same as the previous version.

The update of the botnet, she added, shows that it is impossible to neutralize a botnet simply by taking over the controller machines or substituting the controller list because if the botmaster is at large and knows the list of active router IPs, the person can connect to them directly and push out the bot update along with the new controllers list, she explained.

“It is still possible,” she continued, “to neutralize the botnet with sinkholing but using slightly different techniques as was used before…We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end.”

UPDATE: This story was updated to include additional information from Microsoft and Kaspersky Lab.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...