Microsoft obtained a court order to block the command and control servers held by the Kelihos botnet, also known as Waldedac 2.0 before it could grow and become more disruptive.
Days after wrapping up its civil case against the Rustock
botnet, Microsoft is back in court, this time to shut down the Kelihos network.
Using the same
technique that had worked so well in its previous campaigns against the Rustock
and Waledac, Microsoft asked the United States District Court for the Eastern
District of Virginia to order VeriSign to shut down 21 Internet domains
associated with the Kelihos botnet, the company wrote on The Official Microsoft Blog.
The botnet's command
and control servers were running on two IP addresses and 21 domains, according
to Richard Boscovich, a senior attorney with Microsoft's digital crimes unit.
considered to be a small botnet, estimated to have about 41,000 infected
computers under its control, according to Microsoft. Despite its size, Kelihos
was responsible for nearly 4 billion spam messages per day, including stock
scams, adult content, illegal pharmaceuticals and malware. Many security
researchers have speculated that it was built by the same criminals that ran
Waledac before Microsoft derailed that operation in March.
learned that Kelihos "shared" large portions of its code with Waledac
and was somehow linked with the earlier botnet, the company "immediately
began developing a plan to take out Kelihos using similar technical
measures," Boscovich wrote. "We took this action before the botnet
had an opportunity to grow further," he added.
"not expect" the disruption of Kelihos to have "the breadth of
impact" on the Internet that previous takedowns did, Boscovich said.
Microsoft got the court order for Operation b79
on Sept. 22, that allowed it to
"sever the known connections" between the command and control servers
and infected zombie computers, the order remained sealed until Sept. 26 when
Microsoft's lawyers issued court summons to Dominique Piatti, owner of the DotFree
Group in the Czech Republic. Piatti and 22 other "John Does" have
been named as defendants in the case. The sites were all taken down by early
morning Sept. 27.
This is the
first time Microsoft has named defendants in its takedown attempts. "Naming
these defendants also helps expose how cyber-crime is enabled when domain
providers and other cyber-infrastructure providers fail to know their
customers," Boscovich wrote.
restraining order allowed Microsoft to disable IP addresses and domains without
notifying the alleged operators in advance. Microsoft has also updated the
Malicious Software Removal Tool with the signature to remove the botnet agent
from infected machines. The company will work with Internet service providers
and Community Emergency Response Teams (CERT) to help with remediation.
All but one of
the Internet domains that VeriSign had to take offline were anonymously
registered in the Bahamas, but one cz.cc domain was registered to Piatti in the
Czech Republic, according to Microsoft. Criminals were directly using the
domains or registering sub-domains to run command and control servers and other
malicious activity, such as hosting the Mac Defender fake antivirus that
targeted Mac OS X users in May.
Microsoft attorneys served Piatti with a court summons, they are also working
with the DotFree Group to identify which domains are legitimate and get real
customers back online.
a domain infrastructure like the one allegedly hosted by Mr. Piatti and his
company, botnet operators and other purveyors of scams and malware would find
it much harder to operate anonymously and out of sight. By taking down the
botnet infrastructure, we hope that this will help deter and raise the cost of
committing cyber-crime," Boscovich wrote
wrapped up its civil case against the Rustock botnet and handed over the
information it had collected to the Federal Bureau of Investigation on Sept.
22. While its $250,000 bounty is still in place for new information about the
Rustock gang, Microsoft is redirecting all tips to the FBI's Rustock tips email
Court Judge James L Robart also gave Microsoft the right to lock up 50,000
domain names and IP addresses that had been used by Rustock to infect other
machines. The addresses would be removed from circulation for the next two
years, Robart ruled.