Microsoft denies Kelihos botnet is back in operation

In September, Microsoft announced that it had helped to shut down the Kelihos botnet that was responsible for sending out billions of spam messages along with other issues. Later the company named a defendant in the case, Andrey N. Sabelnikov, who has since proclaimed his innocence.

A few days ago, some media reports claimed that the Kelihos botnet was being put back into operation. However, Microsoft has now said that has not happened, although it admits that a new malware threat with similarities to the Kelihos botnet has appeared.

In a post on Microsoft's blog site, the company states:

Contrary to some reports, Kaspersky and Microsoft have no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time. However, we have seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet. This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as “Backdoor:Win32/Kelihos.B” is being used to create a new botnet. Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT). This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.

Microsoft said that the original news reports were based on a statement from one of Microsoft's partners in shutting down the botnet, Kaspersky Labs. The company said that it had found evidence of malware code that was similar to the one used by the Kelihos botnet. However, Microsoft said, " ... analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders."

Report a problem with article
Previous Story

US government closes 307 pro football themed web sites

Next Story

Microsoft trademark 'People Powered Stories'

12 Comments

Just PR. For Windows user it doesn't make any difference if it is the original or modified version of Kelihos botnet . A botnet is a botnet. Like the Hydra, you cut one head, 4 new are created.
It's the OS that should be immune.

alexalex said,
It's the OS that should be immune.

If you can install custom software on it, it's vulnerable to malware. No exceptions. Windows is just targeted the most because that's where the most users are.

alexalex said,
It's the OS that should be immune.

Maybe the users that get infected could help ...by not being so ****ing stupid !!!

alexalex said,
Just PR. For Windows user it doesn't make any difference if it is the original or modified version of Kelihos botnet . A botnet is a botnet. Like the Hydra, you cut one head, 4 new are created.
It's the OS that should be immune.


unfortunately, there's no easy way to immunize an OS against malware. as long as you can execute 3rd party code, it will be vulnerable to malware. that doesn't mean it will have a crapload of malware on the platform, simply that it's possible, if an attacker wants to put the time in, to create a piece of malware for the system.

seanseany said,

Maybe the users that get infected could help ...by not being so ****ing stupid !!!

Maybe the developers could help...by not being so ****ing stupid and not copy old unsecured code from Windows 3.1/95/NT found even in Windows 8 ?

Matthew_Thepc said,

unfortunately, there's no easy way to immunize an OS against malware. as long as you can execute 3rd party code, it will be vulnerable to malware. that doesn't mean it will have a crapload of malware on the platform, simply that it's possible, if an attacker wants to put the time in, to create a piece of malware for the system.
Well Windows 8 is in a really good way to be malware free if you can only run certified applications on it (on ARM for example)

alexalex said,
Just PR. For Windows user it doesn't make any difference if it is the original or modified version of Kelihos botnet . A botnet is a botnet.

You obviously failed to understand this article properly.

It clearly makes a difference that this is a new botnet, and not the old botnet which has been reactivated.

The original kelihos malware had infected 40 000 machines. These machines are no longer part of the original botnet, and are not part of the new botnet either, since they have not been automatically reinfected with the new variant of kelihos.

And no, no desktop OS is immune to malwares. There are malwares and botnets infecting linux servers and osx too. This kind of malware can exist on any system able to run unsandboxed 3rd party code.

Anthonyd said,
Well Windows 8 is in a really good way to be malware free if you can only run certified applications on it (on ARM for example)

Exactly

And thanks to the WinRT sandbox, windows 8 will be the first desktop OS to be able to run 3rd party apps without any malware risk. the ARM version won't even allow unsandboxed win32 apps to run, which means it will be as malware-free as wp7 is.

alexalex said,

Maybe the developers could help...by not being so ****ing stupid and not copy old unsecured code from Windows 3.1/95/NT found even in Windows 8 ?

You completely lack any security knowledge!

The kelihos botnet is a trojan which infects computers thanks to social engineering (no security flaw is exploited, the user installs the infected exe file willingly, thinking it's some safe app).

Concerning the reuse of old code, contrary to your belief, the old code of windows is pretty secure now, since during 10+ years thousands of security researchers have been looking at it, and less and less security flaws are found in this code year after year. Rewriting old code would break compatibility and bring new security flaws in a bigger quantity.

link8506 said,

Exactly

And thanks to the WinRT sandbox, windows 8 will be the first desktop OS to be able to run 3rd party apps without any malware risk. the ARM version won't even allow unsandboxed win32 apps to run, which means it will be as malware-free as wp7 is.


Apologies, I should have been clearer in my wording. By 'third party apps' I meant apps that aren't OKed by a company before they're able to be used in the OS (aka Android apps, Windows 7 & below apps, and Linux apps). But yes, I guess a sandbox could be extremely effective; the only problems that I can see with it are that most likely there'll be a way for the user to allow an app to run un-sandboxed (thinking UAC-ish) and thus it's possible to socially engineer the user into running the malware, and that there's most likely going to be a few holes in any type of sandbox implementation. Just my 2 cents

oh btw, where'd you get the "ARM version won't even allow unsandboxed win32 apps to run" fact?

Commenting is disabled on this article.