Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.
This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.
Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.
“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.
Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.