Kelihos is dead. Long live Kelihos

Jump to navigation Jump to search

(Publication) Google search: [1]

Kelihos is dead. Long live Kelihos
Botnet Kelihos
Malware Kelihos.A, Kelihos.B, Kelihos.C
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group Operation b79
CCProtocol P2P, DGA
Date 2012 / 30-03-2012
Editor/Conference Damballa
Link ( Archive copy)
Author Gunter Ollmann


The King is dead. Long live the King! Or, given this week’s events, should the phrase now be “Kelihos is dead. Long live Kelihos”?

It is with a little amusement and a lot of cynicism that I’ve been watching the kerfuffle relating to the latest attempt to take down the Kelihos botnet. You may remember that a similar event (“Kelihos is dead”) occurred late last year after Microsoft and Kaspersky took it on themselves to shut down the botnet known as Kelihos (or sometimes as Waledac 2.0 or Hlux). Now, like a poor sequel to a TV docu-drama, Kaspersky and a number of other security vendors have attempted to slap down control of Kelihos Season Two – meanwhile Season Three of Kelihos has just begun to air.

In the most recent attempt to interrupt the business operations of the criminal entity behind the Kelihos botnet, a bunch of threat researchers have managed to usurp command and control (C&C) of the Kelihos.B crimeware package by poisoning the peer-to-peer (P2P) relationships between all of the infected devices and install a surrogate control server. It’s good technical work by all those concerned, but has also proved to be ineffective if the objective was to actually takedown the botnet.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR965,
   editor = {Damballa},
   author = {Gunter Ollmann},
   title = {Kelihos is dead. Long live Kelihos},
   date = {30},
   month = Mar,
   year = {2012},
   howpublished = {\url{}},