Kelihos lives on thanks to Facebook trojan

Powered by SC Magazine
 

After being "sinkholed," the Kelihos.B botnet is spreading through social networking sites.

Soon after security experts announced the dismantling of the Kelihos.B botnet on Wednesday, the culprits behind the attack reconfigured the malware -- and it is now going social.

Criminal gangs are leveraging Fifesock, a social networking trojan discovered last April, to spread the newly furnished Kelihos.C malware to already infected machines.

Computers initially are hit when users click on a malicious link in their Facebook inbox that directs them to a website using a deceptive photo album download link as bait. Once they accept the download, victims' computers become infected with Fifesock, which has the capabilities to then install additional malware -- in this case Kelihos.C, also known as Hlux.

Kaspersky Lab, CrowdStrike, Dell SecureWorks, and research organization The Honeynet Project recently joined forces to create a “sinkhole” that managed to prevent the Kelihos.B botnet from being able to connect to infected machines. However, some compromised computers may still be infected with the Fifesock worm, giving the cyber criminals behind the attacks the option to install the reconfigured botnet.

According to a blog post by Seculert, the cyber threat management firm has identified more than 70,000 Facebook users who are infected with the Facebook worm and are caught up in inadvertently sending the malicious links to their friends.

“We're seeing thousands of new users a day,” Aviv Raff, CTO of Seculert, told SCMagazine.com. “We've already provided Facebook with all of the accounts we've seen compromised.”

In an email to SCMagazine.com, Frederic Wolens, a spokesman for Facebook, said that the company is attempting to eliminate the threat through collaboration with researchers, and has been successful at blocking spam being sent by the Fifesock worm.

“We have been proactively remediating any infected users in our 'malware checkpoint,'” Wolens said.

Fifesock also spreads through other social media websites, Wolens said.

This reconstructed botnet likely was created by many of the same people behind the original Kelihos, the code of which is linked to a ring responsible for creating botnet families that include Waledac and Storm Worm.

“It's some sort of pay-per-install service,” Raff said. “There seem to be two different groups that have joined together. One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines.”

Botnet activity can be disrupted, but the only way to permanently shut one down is to arrest and prosecute the creators, Marco Preuss, head of global research and analysis in Germany for Kaspersky Lab, said in an email sent to SCMagazine.com.

“This is a difficult task because security companies encounter different federal policies, jurisdiction and legal processes in various countries where botnets are located,” he said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1047

Vote