In another instance of malware utilizing holiday-themed spam emails, our researchers had the opportunity to review in detail the threat we call Backdoor:Win32/Kelihos.A. An interesting aspect to this threat is its use of fast-flux in much the same way as the Win32/Waledac family. This similarity is not a coincidence. Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused.
Still, based on our analysis, we have classified this as a new family and not a variant of Waledac. It is important to note that this new family is not communicating with nor is it reactivating the original Waledac which had its command and control infrastructure neutralized last year. We are actively monitoring this emerging malware in cooperation with industry and academic partners who were previously involved in Operation b49.
Microsoft Malware Protection Center
Full story: Microsoft Malware Protection Center
Related Posts
- Obama, birth certificates and Rogue AV
You probably saw that whole "Obama birth certificate" thing yesterday.You're also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - Waledac wakes up after 7 days of sleep
Waledac appeared in a new version in the last days of 2010, sending out big amounts of New Year related spam messages. It then stopped spamming in the evening of January 4th.
On Tuesday morning a new... - A Waledac New Year to You
A new variant of the infamous Waledac worm has come to light due to our friends at Shadowserver.com. Symantec detects this variant as W32.Waledac.B. The Modus Operandi used in this Waledac campaign h... - EU releases text of secretive ACTA copyright treaty
The final version of the international Anti-counterfeiting Trade Agreement (ACTA) leaves the door open for countries to introduce the so-called three-strikes rule, which would see Internet users cut o... - More Babies Are Online Before Birth, AVG Survey Finds
An international study by security vendor AVG reveals that a quarter of children have an "online birth" before their actual birth date.
View full post on PCMag.com Security Coverage... - Strategy to Take Over ‘Waledac’ Botnet Nears Completion
A federal judge said Thursday that the he would allow Microsoft to seize 276 domains controlled by the Waledac botnet unless the worm's creators themselves came forward.
View full post on P... - An Update on Operation b49 and Waledac
Those of you who read an earlier post of mine know about Operation b49, our work to take down the Waledac botnet. For those who don’t, I will summarize by saying that Microsoft’s Dig... - WALEDAC Still Spreading via Malicious Attachments
Back in February, the infamous WALEDAC botnet had been shut down with the takedown of its command-and-control (C&C) servers. However, in recent weeks, it seems to be making a comeback of sorts.
In... - ebnvnos.com – Flash and Java vulnerabilities in the wild – Waledac – part 0
The domain ebnvnos.com it seem related to once of the spreading stage that exploit something about Adobe Flash Player and Java. The following usually robtex screen shot help to know a bit more about i...
Posted on 11 January 2011. Tags: Birth, Kelihos, Separated, Waledac
