The Kelihos botnet is still alive.
Even after security folks this week neutralized the bot for a second time, Kelihos-B, which was a Facebook worm over recent weeks, is still active and spreading, said Seculert officials. CrowdStrike and Kaspersky Labs brought down the bot earlier this week.
This botnet is the remnants of Kelihos-B rather than a new variant of the malware, Seculert said.
The findings said sink-holing 109,000 backdoored machines infected with the spam-spewing and credential-stealing Kelihos Trojan may not have disabled the entire bot network.
“Very little time passed yesterday [Wednesday] between action being taken against the second Kelihos botnet and the appearance of a new variant said to be spreading via Facebook,” said David Harley, senior research fellow at antivirus biz ESET.
“For the time being, the teams involved in the partial disabling of the Kelihos botnet, have implemented another pretty good temporary fix.
“Sink-holing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system that is now under the control of the good guys. However, there’s a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.”
Harley added those possessing the Kelihos source code can tweak the malware to evade future attempts to neutralize it.