Kelihos botnet makes a comeback

New variants resurrect the malware four months after Microsoft and Kaspersky Lab took down the original, which was capable of sending nearly 4 billion spam e-mails each day.

A once-dead botnet has been resurrected and resumed its spamming ways.

The original Kelihos botnet compromised only about 41,000 computers but was capable of sending 3.8 billion spam e-mails each day promoting unregulated pharmaceuticals, fraudulent stock scams and, in some cases, sites dealing with sexual exploitation of children. Microsoft and Kaspersky Lab took down the malware last September using a "sinkhole" technique that tricked the infected computers into getting their instructions from a computer the companies controlled.

However, while the technique was effective at disabling the botnet quickly, it was merely a temporary fix as many computers remained infected, and "as this particular case showed, it is not very effective if the botnet's masters are still at large," Kaspersky Lab's Maria Garnaeva said in a blog post. "Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet."

Now the computers have been infected with new variants that use updated encryption methods and algorithms to mask communications, Garnaeva said.

"Two different RSA keys are used within a tree which makes us think that probably two different groups are in possession of each key and are currently controlling the botnet," Garnaeva explains.

The re-emergence of the botnet comes two weeks after Microsoft filed an amended complaint in a civil suit that accused Andrey N. Sabelnikov, a resident of St. Petersburg, Russia, of writing the code for and participating in the creation of the Kelihos malware. Sabelnikov told the BBC that he was "surprised and shocked" by Microsoft's allegation and that he was "absolutely not guilty."