Kelihos botnet still dead, say Microsoft, Kaspersky
But new botnet-building malware illustrates 'incredibly frustrating' job of destroying criminal infrastructure, adds Symantec
Computerworld - Contrary to reports, the Kelihos botnet has not crawled out of the grave, Microsoft said last week. But the company acknowledged that a new botnet is being assembled using a variant of the original malware.
The reappearance of a Kelihos-like army of hijacked computers shows just how difficult it is to eradicate a botnet, security experts said today.
"It's not possible in most cases," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab, when asked whether killing a botnet was feasible. "What you're going for is disruption more than anything."
Liam O Murchu, manager of operations at Symantec's security response team, agreed and said that there was only one way to insure a botnet's death.
"If you get to the people behind it [through arrests and convictions], that will be the most successful," said O Murchu. "But international borders and the lack of cross-country cooperation makes that a difficult road to go down."
Kelihos was taken offline last September when Microsoft, using a federal court order, led efforts to shut down domains used by the command-and-control (C&C), severing links between the compromised computers and their order-giving master. Microsoft identified the alleged botmaster as a Russian programmer, Andrey Sabelnikov, in an amended complaint last week.
Talk of a Kelihos resurrection was sparked last week by Kaspersky, which said it had found signs of new malware built on the Kelihos code. The implication was that Kelihos had returned from the dead and was again spamming users.
Not so, said Richard Boscovich, a senior attorney in Microsoft's Microsoft digital crimes unit.
"Kaspersky has reported no loss of control of the [Kelihos] peer-to-peer operations and Microsoft researchers have confirmed this week that the original Kelihos C&C and backup infrastructure remains down, but it appears [a] new botnet infrastructure may be being built with the new variant of Kelihos malware," said Boscovich in a Jan. 3 blog.
Kaspersky confirmed that on Monday.
"The botnet we took down is still under control and infected machines are not receiving commands from the C&C centre, so they are not sending spam," Alex Gostev, chief security expert at Kaspersky, said in a statement. "But new samples which are monitored by us continue to get orders from spammers and send spam so far. It means that we are dealing with another botnet."
The appearance of that new botnet illustrates the difficulty researchers, software vendors and authorities have in exterminating a botnet, something that Boscovich, who cited several takedown successes, acknowledged.
"Taking down a single threat has never been Microsoft's ultimate goal in our fight against botnets," said Boscovich. "Rather, [we hope] to transform the fight against cybercrime by developing, testing and advancing impactful and disruptive strategies. This is a long-term effort."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts