As announced by Kaspersky Lab researchers and confirmed by Microsoft, the C&C and backup infrastructure of the original Kelihos/Hlux botnet is still down after their joint action that resulted in its sinkholing.


Temporarily beheaded, the botnet doesn't send out spam, but Kaspersky's researchers have noticed that its operators currently seem more interested in building a new one than wrestling the control of the old one from the hands of the researchers.

This new version of the Kelihos botnet is built with a variant of the original malware, and is currently believed to consist of around 8,000 enslaved computers.

While the original botnet mostly spewed out spam and was able to effect DDoS attacks, this new one has many more capabilities, as the bot found on these computers can infect flash drives, find and exfiltrate configuration details for a number of FTP clients, email addresses, email, FTP and HTTP session passwords, and steal and make the infected computer mine Bitcoins.

The stolen FTP passwords are to be used to inject malicious Javascripts in websites that redirect users to sites hosting exploit kits. The botnet itself will surely be used to send out spam, but another pice of malware installed along with the bot will also be able to manipulate search engine results.

The bot programs - as well as the additional downloaders - are installed on the computers via drive-by attacks that redirect users to websites hosting the Incognito exploit kit.

"It is not uncommon for new versions of botnets to appear, and it’s one of the challenges we face in the IT security industry. We can neutralize botnet attacks and delay cyber criminal activities but ultimately the only way to take botnets down is to arrest and persecute the creators and groups operating them," concluded Kaspersky Lab Expert Sergey Golovanov.