There have been some recent confusing reports regarding whether the Kelihos botnet, which Microsoft partnered with Kyrus Tech Inc. and Kaspersky Lab to take down in September 2011, has been resurrected.

Contrary to some reports, Kaspersky and Microsoft have no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time. However, we have seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet. This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as “Backdoor:Win32/Kelihos.B” is being used to create a new botnet. Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT). This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.

In fact, it is believed that Kelihos itself may have been built based at least in part on code from Waledac, the first botnet Microsoft took down. Malware authors often recycle previous versions of malware. The challenge for the ‘good guys’ is to stay on top of such emerging threats and continue to build protections for computer owners and strategies for further cybercrime disruption. This is why taking down a single threat has never been Microsoft’s ultimate goal in our fight against botnets, but rather to transform the fight against cybercrime by developing, testing and advancing impactful and disruptive strategies that can help the industry as a whole better fight those that attack our customers. This is a long term effort and, despite the constant evolution of cybercrime, we’ve seen strong positive progress in recent years.

Confusing media reports about the status of the botnet developed this week following a post from Kaspersky Labs that new samples of malware, built on code that is very similar to that used by Kelihos, had been detected. However, analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders. Microsoft took down the Kelihos botnet in partnership with Kyrus Tech, which served as a declarant in the legal case that made this takedown possible, and Kaspersky Lab researchers, who provided technical analysis to help dismantle the botnet.

Microsoft’s role in this operation was in coordinating the overall takedown, investigation and legal case, taking down the command and control (C&C) and backup domains associated with the botnet’s operations and working to make sure affected computer owners could clean the malware from their computers. Kaspersky’s role, as outlined previously by its researchers, included peer-to-peer disruption and sinkholing the botnet – a process that reroutes all botnet traffic toward Kaspersky-controlled machines, or “nodes,” and away from the network of infected machines. Kaspersky has reported no loss of control of the peer-to-peer operations and Microsoft researchers have confirmed this week that the original Kelihos C&C and backup infrastructure remains down, but it appears new botnet infrastructure may be being built with the new variant of Kelihos malware.

In terms of the scope of the threat this represents, it is worth noting that the size of the original Kelihos botnet taken down was relatively small. At the time of the takedown, the Kelihos botnet was estimated to include approximately 41,000 infected computers worldwide. Of course, botnet malware continues to spread and need cleaning over time, so the overall size of a particular botnet might fluctuate.

However, since the time of the takedown, we know MSRT alone has cleaned nearly 28,000 infected computers. Based on Kaspersky’s analysis this week, they estimate that the size of the botnet has gone down by approximately 25 percent in just the last two months. Since the time of the original takedown in September, we estimate that the botnet is less than a quarter of the size it was and now involves less than 10,000 infected computers. We have no statistics to share at this time with respect to the size of the new botnet in development, but while those numbers are likely small as well, it is a threat we will continue to monitor. We are also continuing our efforts to clean the computers that are infected with all known forms of Kelihos malware, including this new variant.

Fighting cybercrime, including botnets, requires a collaborative effort among industry, academia and the public sector, and as we learn more about the status of the Kelihos malware, we will apply those lessons to future takedowns. To date, our collaborative approach has produced key victories, including the previous takedowns of Waledac and Rustock botnets. Again, no single action or takedown will put an end to malware or cybercrime, but through continued cooperation, creativity and vigilance we can help prevent and disrupt it.

Microsoft, as ever, remains committed to following botnet cases wherever they lead us and to holding those responsible accountable for their actions. As you may have seen, Microsoft recently named a new defendant in the legal case on Kelihos and we continue to move forward with those legal proceedings. We will continue to provide updates as the ongoing Kelihos investigation unfolds.

For free tools and information to remove Kelihos or other botnet malware from your computer, go to http://support.microsoft.com/botnets. And, to stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit