Malware, Network Security, Threat Management

Kelihos lives on thanks to Facebook trojan

Soon after security experts announced the dismantling of the Kelihos.B botnet on Wednesday, the culprits behind the attack reconfigured the malware -- and it is now going social.

Criminal gangs are leveraging Fifesock, a social networking trojan discovered last April, to spread the newly furnished Kelihos.C malware to already infected machines.

Computers initially are hit when users click on a malicious link in their Facebook inbox that directs them to a website using a deceptive photo album download link as bait. Once they accept the download, victims' computers become infected with Fifesock, which has the capabilities to then install additional malware -- in this case Kelihos.C, also known as Hlux.

Kaspersky Lab, CrowdStrike, Dell SecureWorks, and research organization The Honeynet Project recently joined forces to create a “sinkhole” that managed to prevent the Kelihos.B botnet from being able to connect to infected machines. However, some compromised computers may still be infected with the Fifesock worm, giving the cyber criminals behind the attacks the option to install the reconfigured botnet.

According to a blog post by Seculert, the cyber threat management firm has identified more than 70,000 Facebook users who are infected with the Facebook worm and are caught up in inadvertently sending the malicious links to their friends.

“We're seeing thousands of new users a day,” Aviv Raff, CTO of Seculert, told “We've already provided Facebook with all of the accounts we've seen compromised.”

In an email to, Frederic Wolens, a spokesman for Facebook, said that the company is attempting to eliminate the threat through collaboration with researchers, and has been successful at blocking spam being sent by the Fifesock worm.

“We have been proactively remediating any infected users in our 'malware checkpoint,'” Wolens said.

Fifesock also spreads through other social media websites, Wolens said.

This reconstructed botnet likely was created by many of the same people behind the original Kelihos, the code of which is linked to a ring responsible for creating botnet families that include Waledac and Storm Worm.

“It's some sort of pay-per-install service,” Raff said. “There seem to be two different groups that have joined together. One is using the Facebook worm, and the others are paying them in order to install the Kelihos botnets on their infected machines.”

Botnet activity can be disrupted, but the only way to permanently shut one down is to arrest and prosecute the creators, Marco Preuss, head of global research and analysis in Germany for Kaspersky Lab, said in an email sent to

“This is a difficult task because security companies encounter different federal policies, jurisdiction and legal processes in various countries where botnets are located,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.