Feeds

Microsoft delivers fatal blow to yet another botnet

Kelihos, we hardly knew ye

Next gen security for virtualised datacentres

Microsoft said it delivered a fatal legal blow to Kelihos, a botnet that stole sensitive personal information stored on computers it infected, and was capable of delivering almost 4 billion spam messages per day.

The takedown was achieved in part by obtaining a secret court order shutting down 21 internet addresses, including cz.cc, a free domain name registration service based in the Czech Republic. The underlying lawsuit was unsealed only after the command and control servers that relied on the domains were severed from the internet, making it impossible for the 42,000 or so infected computers to receive updated software and instructions from the Kelihos operators.

The knockout is the third time Microsoft has combined its technical and legal might to disrupt a botnet menacing its customers. In March, Redmond took credit for bringing down Rustock, a rogue network that turned about 1.6 million PCs into spam-spewing monsters. That achievement came after Microsoft worked to identify the domains and servers used to administer Rustock, so they could be confiscated all at once.

Ironically, Kelihos code bore a striking technical resemblance to Waledac, another spam botnet that Microsoft disabled early last year. Redmond's lawyers swooped down on Kelihos after some researchers suspected it was an attempt to rebuild Waledac.

“The Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once we've dismantled it,” Richard Domingues Boscovich, a senior attorney in Microsoft's Digital Crimes Unit, wrote in a blog post published Tuesday. “When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold bot herders accountable for their actions.”

A complaint filed in US District Court in Alexandria, Virginia, named 22 John Doe defendants, along with dotFREE SRO and Dominique Alexander Piatti, the business and individual owners respectively of the cz.cc service that issued more than 3,700 subdomains that infected computers that were used to connect to the Kelihos command and control servers. Kelihos operators then sent instructions causing the machines to pump out spam promoting illegal pharmaceutical drugs and to upload email addresses, FTP login credentials, and Bitcoin wallets.

According to Boscovich, Piatti's service was associated with other internet scams, including a bogus piece of antivirus software called MacDefender, which caused Apple support calls to spike earlier this year when huge numbers of Mac users were tricked into installing it. In May, Google blocked more than 200,000 cz.cc subdomains and reported that they were hosting malware before eventually reinstating them.

Now that Microsoft has obtained the cz.cc domain, it is working with Piatti to determine which ones are being used legitimately, so customers of his can get back online quickly.

According to IDG News, which reported the takedown earlier, Piatti declined to comment for the article except to say: “I would be glad to give you my side of the story, but I feel that I should hire a lawyer first.” ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.