Update on the Kelihos botnet

Reports that the Kelihos botnet is back online and that its original operators are again trying to take over its reigns have been premature, says Microsoft.

“Contrary to some reports, Kaspersky and Microsoft have no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time,” commented Microsoft’s Richard Boscovich. “However, we have seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet. This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as “Backdoor:Win32/Kelihos.B” is being used to create a new botnet.”

“Kaspersky has reported no loss of control of the peer-to-peer operations and Microsoft researchers have confirmed this week that the original Kelihos C&C and backup infrastructure remains down, but it appears new botnet infrastructure may be being built with the new variant of Kelihos malware,” he added.

Since its takedown, Microsoft alone has cleaned nearly 28,000 of the computers of the 41,000 or so roped into the botnet. All in all, it is believed that less than 10,000 computers still harbor Kelihos’ malware.

The new Kelihos malware variant is detected by the Malicious Software Removal Tool (MSRT).