Feeds

Microsoft delivers fatal blow to yet another botnet

Kelihos, we hardly knew ye

Security for virtualized datacentres

Microsoft said it delivered a fatal legal blow to Kelihos, a botnet that stole sensitive personal information stored on computers it infected, and was capable of delivering almost 4 billion spam messages per day.

The takedown was achieved in part by obtaining a secret court order shutting down 21 internet addresses, including cz.cc, a free domain name registration service based in the Czech Republic. The underlying lawsuit was unsealed only after the command and control servers that relied on the domains were severed from the internet, making it impossible for the 42,000 or so infected computers to receive updated software and instructions from the Kelihos operators.

The knockout is the third time Microsoft has combined its technical and legal might to disrupt a botnet menacing its customers. In March, Redmond took credit for bringing down Rustock, a rogue network that turned about 1.6 million PCs into spam-spewing monsters. That achievement came after Microsoft worked to identify the domains and servers used to administer Rustock, so they could be confiscated all at once.

Ironically, Kelihos code bore a striking technical resemblance to Waledac, another spam botnet that Microsoft disabled early last year. Redmond's lawyers swooped down on Kelihos after some researchers suspected it was an attempt to rebuild Waledac.

“The Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once we've dismantled it,” Richard Domingues Boscovich, a senior attorney in Microsoft's Digital Crimes Unit, wrote in a blog post published Tuesday. “When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold bot herders accountable for their actions.”

A complaint filed in US District Court in Alexandria, Virginia, named 22 John Doe defendants, along with dotFREE SRO and Dominique Alexander Piatti, the business and individual owners respectively of the cz.cc service that issued more than 3,700 subdomains that infected computers that were used to connect to the Kelihos command and control servers. Kelihos operators then sent instructions causing the machines to pump out spam promoting illegal pharmaceutical drugs and to upload email addresses, FTP login credentials, and Bitcoin wallets.

According to Boscovich, Piatti's service was associated with other internet scams, including a bogus piece of antivirus software called MacDefender, which caused Apple support calls to spike earlier this year when huge numbers of Mac users were tricked into installing it. In May, Google blocked more than 200,000 cz.cc subdomains and reported that they were hosting malware before eventually reinstating them.

Now that Microsoft has obtained the cz.cc domain, it is working with Piatti to determine which ones are being used legitimately, so customers of his can get back online quickly.

According to IDG News, which reported the takedown earlier, Piatti declined to comment for the article except to say: “I would be glad to give you my side of the story, but I feel that I should hire a lawyer first.” ®

Secure remote control for conventional and virtual desktops

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.