KelihosResearchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection. The botnet also is using an advanced fast-flux capability to hide the domains it uses for command-and-control and malware distribution.
This is the third time the Kelihos botnet has reared its head. The first two instances, security researchers were able to sinkhole the domains that Kelihos was using, effectively crippling the attackers' ability to communicate with infected machines. The first Kelihos botnet takedown in 2011 was a joint effort between Kaspersky Lab and Microsoft and the teams were able to reverse-engineer the communications protocol that the bots use. Kelihos, also known as Hlux, is a peer-to-peer botnet, meaning that there is no central server or servers that spit out new commands for the bots.
