The Kelihos Botnet seems like a cat with 9 lives.
It was first discovered in December, 2010 and taken down by Microsoft in September 2011. It infected about 45,000 computers.
In January 2012, a new version appeared. It was taken down in March 2012 when several private companies managed to “sink hole” the malware. Sink hole is a term where ISPs repoint the traffic that was going to a command and control server to a dummy server so that the infected machines can no longer get commands. This version infected 110,000 computers.
Although the Wikipedia article on the subject is a little confusing, it appears there was another version in 2015, affecting 70,000 computers.
This week the FBI dismantled Kelihos again, this time arresting the Russian they think is behind it when he and his family traveled from their home in Russia, which does not have an extradition treaty with the U.S. to Spain, which does have one. He was arrested in Spain. I am not clear what he was thinking when he decided to travel to Spain, but he probably thought his identity was still secret.
The feds were able to track him because of some sloppiness on his part. He used the same IP address to run the botnet that he used for other things like accessing his email.
Now the feds are busy sinkholing this new network and trying to reach out to tens of thousands of computer owners who’s computers are infected.
If you think about it, that task for a large infection (and this one is only a moderate size one) takes a massive amount of human effort. This can’t be automated and likely the users don’t understand the problem and are not much help at fixing it. Some anti virus software can remove it, which is good. Likely, the victims do not have that software.
So, it is good that the FBI arrested this guy, but I suspect he will only be locked up for a few years and then go back to Moscow as a hero and start all over. Sorry to be pessimistic, but botnets are an insanely massive problem and tremendously hard to fix.
Some people suggest that ISPs should be forced to turn off the Internet connections of infected computers until they can prove that they are clean. That would definitely send a message, but do you, for example, shut down the Internet connection for a hospital because one patient has an infected computer? You get the idea.