14 DAY TRIAL // Security experts are currently busy trying to disrupt the second version of the Hlux/Keihos botnet. Kaspersky reports that the size of the botnet is getting smaller, currently counting around 1,000 bots per month.
According to Kaspersky, most of the remaining bots are running Windows XP. 44% of them are located in Poland, and close to 10% in Turkey. Others are said to be located in Spain, Hungary, Romania, Thailand, Vietnam, the United States, India, Italy, Germany, Malaysia and the Russian Federation.
Researchers say there might be an independent subset of the botnet that’s not connected to their sinkhole. However, they believe the bot herders have likely abandoned them to concentrate on creating version 3 of Hlux/Kelihos.
Kaspersky teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in March 2012 to try to take down the second variant of the botnet. While they appear to be content with their progress, others disagree that the information presented by the IT security giant is accurate.
White hat security research group MalwareMustDie believes that the figures provided by Kaspersky are misleading.
Experts say the number of infections is much higher than 1,000. They claim that most of the infections are actually seen in Ukraine (52,000), Russia (18,000), Japan (9,800), India (6,000) and Taiwan (4,600).
“Growth is still happening, even NOW we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday,” MalwareMustDie noted in a post published on Full Disclosure.
MalwareMustDie will present details on the status of the Kelihos botnet at the Botconf 2013 conference in France.