The Kelihos botnet was first discovered around December 2010. Researchers originally suspected having found a new version of either the Storm or Waledac botnet, due to similarities in the modus operandi and source code of the bot, but analysis of the botnet showed it was instead a new, 45,000-infected-computer-strong, botnet that was capable of sending an estimated 4 billion spam messages a day. In September 2011 Microsoft took down the botnet in an operation codenamed "Operation b79". At the same time, Microsoft filed civil charges against Dominique Alexander Piatti, dotFREE Group SRO and 22 John Doe defendants for suspected involvement in the botnet for issuing 3,700 subdomains that were used by the botnet. These charges were later dropped when Microsoft determined that the named defendants did not intentionally aid the botnet controllers.
In January 2012 a new version of the botnet was discovered, one sometimes referred to as Kelihos.b or Version 2, consisting of an estimated 110,000 infected computers. During this same month Microsoft pressed charges against Russian citizen Andrey Sabelnikov, a former IT security professional, for being the alleged creator of the Kelihos Botnet sourcecode. The second version of the botnet itself was shut down by it in March 2012 by several privately owned firms by sinkholing it – a technique which gave the companies control over the botnet while cutting off the original controllers.
Following the shutdown of the second version of the botnet, a new version surfaced as early as 2 April, though there is some disagreement between research groups whether the botnet is simply the remnants of the disabled Version 2 botnet, or a new version altogether. This version of the botnet currently consists of an estimated 70,000 infected computers. The Kelihos.c version mostly infects computers through Facebook by sending users of the website malicious download links. Once clicked, a Trojan horse named Fifesoc is downloaded, which turns the computer into a zombie, which is part of the botnet.
Structure, operations and spread
The Kelihos botnet is a so-called peer-to-peer botnet, where individual botnet nodes are capable of acting as command-and-control servers for the entire botnet. In traditional non-peer-to-peer botnets, all the nodes receive their instructions and "work" from a limited set of servers – if these servers are removed or taken down, the botnet will no longer receive instructions and will therefore effectively shut down. Peer-to-peer botnets seek to mitigate that risk by allowing every peer to send instructions to the entire botnet, thus making it more difficult to shut it down.
The first version of the botnet was mainly involved in denial-of-service attacks and email spam, while version two of the botnet added the ability to steal Bitcoin wallets, as well as a program used to mine bitcoins itself. Its spam capacity allows the botnet to spread itself by sending malware links to users in order to infect them with a Trojan horse, though later versions mostly propagate over social network sites, in particular through Facebook.
- Mills, Elinor (28 March 2012). "110,000 PC-strong Kelihos botnet sidelined". CNET. Retrieved 28 April 2012.
- Ortloff, Stefan (28 March 2012). "FAQ: Disabling the new Hlux/Kelihos Botnet". Securelist.com. Retrieved 28 April 2012.
- Adair, Steven (30 December 2010). "New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?". Shadowserver. Retrieved 28 April 2012.
- Donohue, Brian (29 March 2012). "Kelihos Returns: Same Botnet or New Version?". Threatpost. Retrieved 28 April 2012.
- Mills, Elinor (27 September 2011). "Microsoft halts another botnet: Kelihos". CNet. Retrieved 28 April 2012.
- Kirk, Jeremy (1 February 2012). "Kelihos botnet, once crippled, now gaining strength". Network World. Retrieved 28 April 2012.
- Constantin, Lucian (28 March 2012). "Security Firms Disable the Second Kelihos Botnet". PCWorld. Retrieved 28 April 2012.
- Boscovich, Richard (27 September 2011). "Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case". Microsoft TechNet. Retrieved 28 April 2012.
- Microsoft (26 September 2011). "Operation b79 (Kelihos) and Additional MSRT September Release". Microsoft Technet. Retrieved 28 April 2012.
- Latif, Lawrence (27 October 2011). "Microsoft drops Kelihos botnet allegations against ISP owner". The Inquirer. Retrieved 28 April 2012.
- Gonsalves, Antone (24 January 2012). "Microsoft Says Ex-Antivirus Maker Ran Botnet". CRN Magazine. Retrieved 28 April 2012.
- Warren, Tom (29 March 2012). "Second Kelihos botnet downed, 116,000 machines freed". The Verge. Retrieved 28 April 2012.
- Brewster, Tom (24 January 2012). "Microsoft suspects ex-antivirus worker of Kelihos botnet creation". IT PRO. Retrieved 28 April 2012.
- Keizer, Gregg (24 January 2012). "Accused Kelihos botnet maker worked for two security firms | ITworld". ITworld. Retrieved 28 April 2012.
- Donohue, Brian (28 March 2012). "Kaspersky Knocks Down Kelihos Botnet Again, But Expects Return". ThreatPost. Retrieved 28 April 2012.
- Raywood, Dan (2 April 2012). "CrowdStrike researchers deny that Kelihos has spawned a new version – SC Magazine UK". SC Magazine. Retrieved 29 April 2012.
- Leyden, John (29 March 2012). "Kelihos zombies erupt from mass graves after botnet massacre". The Register. Retrieved 28 April 2012.
- SPAMfighter News, (13 April 2012). "Kelihos Botnet Re-emerges, This Time Attacking Social Networks". SPAMfighter. Retrieved 28 April 2012.
- Grizzard, Julian; David Dagon;Vikram Sharma;Chris Nunnery;Brent ByungHoon Kang (3 April 2007). "Peer-to-Peer Botnets: Overview and Case Study". The Johns Hopkins University Applied Physics Laboratory. Retrieved 28 April 2012.
- SPAMfighter (5 April 2012). "Security Companies Take Down Kelihos Botnet of Version 2". SPAMfighter. Retrieved 28 April 2012.
- Jorgenson, Petra (6 April 2012). "Kelihos Botnet Could Resurge via Facebook Worm". Midsize Insider. Retrieved 29 April 2012.