Kelihos Botnet Could Resurge via Facebook Worm

By | Apr 6, 2012

A recent report from Seculert should drive home the need to follow best practices when securing networks and network-capable devices from malware. Social networking is widespread, with Facebook capturing over 800 million users, so it should come as no surprise that cyber criminals are utilizing these services to infect machines with all sorts of malicious software. But when companies fail to protect against these threats, it can have a major impact on the organization; data breaches can cost midsized businesses thousands of dollars or more.

News of the Kelihos Trojan has been circulating since last year, when the botnet was first discovered. The Trojan had infected over 40,000 computers, using the compromised PCs to send spam emails and steal sensitive data. In September 2011, Microsoft, Kaspersky Lab, and Kyrus Tech shut down the botnet as part of "Operation b79."

Just a few months later, however, researchers discovered a new botnet based off of the original Kelihos, this time utilizing more intelligent code. The new Trojan was given the name "Kelihos.B."

On March 28, 2012, Kaspersky Lab, CrowdStrike Intelligence Team, Dell SecureWorks, and Honeynet Project took control of Kelihos.B. Kaspersky Lab and partners sinkholed the botnet, redirecting communication from the compromised peers to a command-and-control (C&C) server managed by the researchers. The security firms were able to sinkhole just over 110,000 computers.

The next day, however, Seculert announced that Kelihos.B was still active: Cyber criminals were using a Facebook worm to bring the botnet back to life. PCs infected with the worm send messages to the victim's friends; the worm directs the users to a link containing the Kelihos Trojan. According to the security firm, over 70,000 members of the widely used social networking site have been infected with the worm.

"The Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam," reads a post on the Seculert blog. Facebook is almost like a drug to some members, with users checking their accounts every few minutes. While the social networking site can be useful to businesses, some workers can abuse the website, using it for personal reasons rather than business-related ones.

Organizations who worry about their workers abusing the social networking site should consider implementing a whitelist or a blacklist to prevent employees from accessing websites unrelated to work. While the Internet can provide workers with fast, convenient access to information, it's filled with threats that can cripple security. Exclusive whitelists can be extremely useful to midsized businesses that maintain online databases containing all the information that workers need to perform their duties.

Companies that allow employees to use social networking for work purposes should inform workers of the potential threat--the spam messages link to what looks like a photo album--to prevent the Kelihos Trojan from compromising machines within the organization.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

IBM Solution Security & Resiliency

IBM's IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic