Seculert researchers say that the Kelihos botnet is alive and well, spreading with the aid of a Facebook worm that infects the computers of customers mostly from the US and Poland.
On March 28, 2012, Kaspersky experts revealed that with the aid of CrowdStrike Intelligence Team, the Honeynet Project and Dell SecureWorks, they managed to disable a large part of the new variant of the Kelihos botnet.
According to Kaspersky, the security firms used a sinkhole to take over more than 116,000 bots part of Kelihos. However, Seculert representatives claim that they have identified more than 70,000 Facebook members affected by the worm that spams other users with the purpose of spreading malware.
The worm advertises a so-called photo album on the walls of infected customers, trying to lure them into a trap. Apparently, 54% of victims are from Poland and 30% from the United States, the rest being spread out in countries such as Pakistan, Hungary, Denmark, UK, Italy, India and the Czech Republic.
“Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet,” Seculert representatives wrote.
“This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam.”
Furthermore, experts explain that this is not a new variant of Kelihos.
“Some might call this 'a new variant', or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B.”