Feeds

Microsoft delivers fatal blow to yet another botnet

Kelihos, we hardly knew ye

Seven Steps to Software Security

Microsoft said it delivered a fatal legal blow to Kelihos, a botnet that stole sensitive personal information stored on computers it infected, and was capable of delivering almost 4 billion spam messages per day.

The takedown was achieved in part by obtaining a secret court order shutting down 21 internet addresses, including cz.cc, a free domain name registration service based in the Czech Republic. The underlying lawsuit was unsealed only after the command and control servers that relied on the domains were severed from the internet, making it impossible for the 42,000 or so infected computers to receive updated software and instructions from the Kelihos operators.

The knockout is the third time Microsoft has combined its technical and legal might to disrupt a botnet menacing its customers. In March, Redmond took credit for bringing down Rustock, a rogue network that turned about 1.6 million PCs into spam-spewing monsters. That achievement came after Microsoft worked to identify the domains and servers used to administer Rustock, so they could be confiscated all at once.

Ironically, Kelihos code bore a striking technical resemblance to Waledac, another spam botnet that Microsoft disabled early last year. Redmond's lawyers swooped down on Kelihos after some researchers suspected it was an attempt to rebuild Waledac.

“The Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once we've dismantled it,” Richard Domingues Boscovich, a senior attorney in Microsoft's Digital Crimes Unit, wrote in a blog post published Tuesday. “When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold bot herders accountable for their actions.”

A complaint filed in US District Court in Alexandria, Virginia, named 22 John Doe defendants, along with dotFREE SRO and Dominique Alexander Piatti, the business and individual owners respectively of the cz.cc service that issued more than 3,700 subdomains that infected computers that were used to connect to the Kelihos command and control servers. Kelihos operators then sent instructions causing the machines to pump out spam promoting illegal pharmaceutical drugs and to upload email addresses, FTP login credentials, and Bitcoin wallets.

According to Boscovich, Piatti's service was associated with other internet scams, including a bogus piece of antivirus software called MacDefender, which caused Apple support calls to spike earlier this year when huge numbers of Mac users were tricked into installing it. In May, Google blocked more than 200,000 cz.cc subdomains and reported that they were hosting malware before eventually reinstating them.

Now that Microsoft has obtained the cz.cc domain, it is working with Piatti to determine which ones are being used legitimately, so customers of his can get back online quickly.

According to IDG News, which reported the takedown earlier, Piatti declined to comment for the article except to say: “I would be glad to give you my side of the story, but I feel that I should hire a lawyer first.” ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.