Kelihos lives on thanks to Facebook trojan

By on

After being "sinkholed," the Kelihos.B botnet is spreading through social networking sites.

Soon after security experts announced the dismantling of the Kelihos.B botnet on Wednesday, the culprits behind the attack reconfigured the malware -- and it is now going social.

Criminal gangs are leveraging Fifesock, a social networking trojan discovered last April, to spread the newly furnished Kelihos.C malware to already infected machines.

Computers initially are hit when users click on a malicious link in their Facebook inbox that directs them to a website using a deceptive photo album download link as bait. Once they accept the download, victims' computers become infected with Fifesock, which has the capabilities to then install additional malware -- in this case Kelihos.C, also known as Hlux.

Kaspersky Lab, CrowdStrike, Dell SecureWorks, and research organization The Honeynet Project recently joined forces to create a “sinkhole” that managed to prevent the Kelihos.B botnet from being able to connect to infected machines. However, some compromised computers may still be infected with the Fifesock worm, giving the cyber criminals behind the attacks the option to install the reconfigured botnet.

According to a blog post by Seculert, the cyber threat management firm has identified more than 70,000 Facebook users who are infected with the Facebook worm and are caught up in inadvertently sending the malicious links to their friends.

“We're seeing thousands of new users a day,” Aviv Raff, CTO of Seculert, told SCMagazine.com. “We've already provided Facebook with all of the accounts we've seen compromised.”

In an email to SCMagazine.com, Frederic Wolens, a spokesman for Facebook, said that the company is attempting to eliminate the threat through collaboration with researchers, and has been successful at blocking spam being sent by the Fifesock worm.

“We have been proactively remediating any infected users in our 'malware checkpoint,'” Wolens said.

Fifesock also spreads through other social media websites, Wolens said.

This reconstructed botnet likely was created by many of the same people behind the original Kelihos, the code of which is linked to a ring responsible for creating botnet families that include Waledac and Storm Worm.

“It's some sort of pay-per-install service,” Raff said. “There seem to be two different groups that have joined together. One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines.”

Botnet activity can be disrupted, but the only way to permanently shut one down is to arrest and prosecute the creators, Marco Preuss, head of global research and analysis in Germany for Kaspersky Lab, said in an email sent to SCMagazine.com.

“This is a difficult task because security companies encounter different federal policies, jurisdiction and legal processes in various countries where botnets are located,” he said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?