Microsoft said it delivered a fatal legal blow to Kelihos, a botnet that stole sensitive personal information stored on computers it infected, and was capable of delivering almost 4 billion spam messages per day.
The takedown was achieved in part by obtaining a secret court order shutting down 21 internet addresses, including cz.cc, a free domain name registration service based in the Czech Republic. The underlying lawsuit was unsealed only after the command and control servers that relied on the domains were severed from the internet, making it impossible for the 42,000 or so infected computers to receive updated software and instructions from the Kelihos operators.
The knockout is the third time Microsoft has combined its technical and legal might to disrupt a botnet menacing its customers. In March, Redmond took credit for bringing down Rustock, a rogue network that turned about 1.6 million PCs into spam-spewing monsters. That achievement came after Microsoft worked to identify the domains and servers used to administer Rustock, so they could be confiscated all at once.
Ironically, Kelihos code bore a striking technical resemblance to Waledac, another spam botnet that Microsoft disabled early last year. Redmond's lawyers swooped down on Kelihos after some researchers suspected it was an attempt to rebuild Waledac.
“The Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once we've dismantled it,” Richard Domingues Boscovich, a senior attorney in Microsoft's Digital Crimes Unit, wrote in a blog post published Tuesday. “When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold bot herders accountable for their actions.”
A complaint filed in US District Court in Alexandria, Virginia, named 22 John Doe defendants, along with dotFREE SRO and Dominique Alexander Piatti, the business and individual owners respectively of the cz.cc service that issued more than 3,700 subdomains that infected computers that were used to connect to the Kelihos command and control servers. Kelihos operators then sent instructions causing the machines to pump out spam promoting illegal pharmaceutical drugs and to upload email addresses, FTP login credentials, and Bitcoin wallets.
According to Boscovich, Piatti's service was associated with other internet scams, including a bogus piece of antivirus software called MacDefender, which caused Apple support calls to spike earlier this year when huge numbers of Mac users were tricked into installing it. In May, Google blocked more than 200,000 cz.cc subdomains and reported that they were hosting malware before eventually reinstating them.
Now that Microsoft has obtained the cz.cc domain, it is working with Piatti to determine which ones are being used legitimately, so customers of his can get back online quickly.
According to IDG News, which reported the takedown earlier, Piatti declined to comment for the article except to say: “I would be glad to give you my side of the story, but I feel that I should hire a lawyer first.” ®