A second version of the Hlux/Kelihos botnet is still making the rounds and researchers say its size is getting smaller, currently counting around 1,000 bots per month. However, a second set of researchers say the bot is growing.
The first set of researchers feel most of the remaining bots are running Windows XP, said researchers at Kaspersky Labs. In addition, 44 percent of the bots are in Poland, and close to 10 percent in Turkey. Others are in Spain, Hungary, Romania, Thailand, Vietnam, the United States, India, Italy, Germany, Malaysia and the Russian Federation.
Researchers said there might be an independent subset of the botnet not connected to their sinkhole. However, they believe the bot herders have likely abandoned them to concentrate on creating version 3 of Hlux/Kelihos.
Kaspersky teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in March 2012 to try to take down the second variant of the botnet.
The second set of researchers, Whitehat security research group MalwareMustDie said the figures could be misleading.
They said the number of infections is much higher than 1,000. They claim most are in Ukraine (52,000), Russia (18,000), Japan (9,800), India (6,000) and Taiwan (4,600).
“Growth is still happening, even now we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday,” MalwareMustDie said in a blog post published on Full Disclosure.