Kelihos.C: Same Code, New Botnet


Last week, CrowdStrike took control over the Kelihos.B botnet in a joint effort with other security experts. The infected machines are since trapped on our sinkhole and the botnet cannot be commanded anymore. 

In a blog post that was published earlier today, IT security firm Seculert claims that the Kelihos.B botnet is still under control of the criminal who created it and that it is even possible for these criminals to regain access to the sinkholed bots.

CrowdStrike researchers continue to monitor the comand-and-control infrastructure, which is partially live again after having been down for some days, and confirmed that the servers do not speak the Kelihos.B protocol anymore. We are aware of a new version of the bot, Kelihos.C, that has been released shortly after we started the sinkholing operation, and which is spreading via social networks. This new version introduces slight changes to the message format used to propagate peer information and commands. We believe that the modifications are so minimal that the new version is still likely to get detected by anti-virus software with signatures for Kelihos.B. However, as a result of these changes, the new botnet is incompatible to and thus completely separate from the Kelihos.B version sinkholed by us.

Since both Kelihos.B and Kelihos.C are dropped by a third-party installer, it is possible that the capability to update infected machines via this dropper might exist, however thorough analysis of the dropper revealed no way to remotely command it. Bottom line: There is no known means for the attacker to regain control over the sinkholed Kelihos.B machines at this point.

Figure 1: Fall-back domain in Kelihos.C
Additionally it is interesting to note that all of the fast-flux domains used by Kelihos.B are no longer maintained and do not resolve. The new botnet (Kelihos.C) has two fast-flux domains as fall-back handles associated with it, namely and blocking these domains at the perimeter is advisable.