Kelihos Botnet, Once Crippled, Now Gaining Strength

A botnet that was crippled by Microsoft and Kaspersky Lab last September is spamming once again and experts have no recourse to stop it.

The Kelihos botnet only infected 45,000 or so computers but managed to send out nearly 4 billion spam messages a day, promoting, among other things, pornography, illegal pharmaceuticals and stock scams.

But it was temporarily corralled last September after researchers used various technical means to get the 45,000 or so infected computers to communicate with a “sinkhole,” or a computer they controlled.

But the computers that comprised Kelihos were still infected with its code. Researchers knew that it would only be a matter of time before its controller used the botnet’s complex infrastructure of proxy servers and communication nodes to regain control.

In fact, it happened shortly after the researchers intervened. Sinkholing the botnet was only a temporary solution.

“We could have issued an update to those machines to clean them up, but in several countries that would be illegal,” said Ram Herkanaidu, security researcher and education manager for Kaspersky Lab.

Meddling with another person’s computer could be considered a form of hacking, even with the best intentions of security researchers. Unfortunately, it appears that many of the machines infected with Kelihos are now controlled by the bad guys again.

There are also other new variants of Kelihos that are using updated forms of encryption to mask the communication with the botnet controllers, Herkanaidu said. Maria Garnaeva, a researcher with Kaspersky Lab, wrote that two different RSA keys are being used for encryption, which means it is possible two different groups are controlling Kelihos.

The resurrection of Kelihos comes as Microsoft last week amended a civil suit in the U.S. District Court for the Eastern District of Virginia to name a Russian man it believes is responsible for the botnet.

The man, Andrey N. Sabelnikov of St. Petersburg, freelanced for a software development company and formerly worked as a software engineer for a computer security software company.

After his name was widely published in media reports, Sabelnikov denied he was responsible and told the BBC, “I will prove my innocence.”

Even if Sabelnikov is eventually criminally charged by U.S. prosecutors, Russia’s constitution prohibits extradition of its own citizens.

Microsoft said it is working with Kaspersky on studying the latest Kelihos developments. The company remains committed to following its botnet cases and intends to hold those responsible accountable for their actions, said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, in a statement.

Send news tips and comments to jeremy_kirk@idg.com