Days after wrapping up its civil case against the Rustock botnet, Microsoft is back in court, this time to shut down the Kelihos network.
Using the same technique that had worked so well in its previous campaigns against the Rustock and Waledac, Microsoft asked the United States District Court for the Eastern District of Virginia to order VeriSign to shut down 21 Internet domains associated with the Kelihos botnet, the company wrote on The Official Microsoft Blog. The botnet’s command and control servers were running on two IP addresses and 21 domains, according to Richard Boscovich, a senior attorney with Microsoft’s digital crimes unit.
Kelihos is considered to be a small botnet, estimated to have about 41,000 infected computers under its control, according to Microsoft. Despite its size, Kelihos was responsible for nearly 4 billion spam messages per day, including stock scams, adult content, illegal pharmaceuticals and malware. Many security researchers have speculated that it was built by the same criminals that ran Waledac before Microsoft derailed that operation in March.
Once Microsoft learned that Kelihos “shared” large portions of its code with Waledac and was somehow linked with the earlier botnet, the company “immediately began developing a plan to take out Kelihos using similar technical measures,” Boscovich wrote. “We took this action before the botnet had an opportunity to grow further,” he added.
Microsoft does “not expect” the disruption of Kelihos to have “the breadth of impact” on the Internet that previous takedowns did, Boscovich said.
While Microsoft got the court order for Operation b79 on Sept. 22, that allowed it to “sever the known connections” between the command and control servers and infected zombie computers, the order remained sealed until Sept. 26 when Microsoft’s lawyers issued court summons to Dominique Piatti, owner of the DotFree Group in the Czech Republic. Piatti and 22 other “John Does” have been named as defendants in the case. The sites were all taken down by early morning Sept. 27.
This is the first time Microsoft has named defendants in its takedown attempts. “Naming these defendants also helps expose how cyber-crime is enabled when domain providers and other cyber-infrastructure providers fail to know their customers,” Boscovich wrote.
The temporary restraining order allowed Microsoft to disable IP addresses and domains without notifying the alleged operators in advance. Microsoft has also updated the Malicious Software Removal Tool with the signature to remove the botnet agent from infected machines. The company will work with Internet service providers and Community Emergency Response Teams (CERT) to help with remediation.
All but one of the Internet domains that VeriSign had to take offline were anonymously registered in the Bahamas, but one cz.cc domain was registered to Piatti in the Czech Republic, according to Microsoft. Criminals were directly using the domains or registering sub-domains to run command and control servers and other malicious activity, such as hosting the Mac Defender fake antivirus that targeted Mac OS X users in May.
While Microsoft attorneys served Piatti with a court summons, they are also working with the DotFree Group to identify which domains are legitimate and get real customers back online.
“Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cyber-crime,” Boscovich wrote
Microsoft wrapped up its civil case against the Rustock botnet and handed over the information it had collected to the Federal Bureau of Investigation on Sept. 22. While its $250,000 bounty is still in place for new information about the Rustock gang, Microsoft is redirecting all tips to the FBI’s Rustock tips email account: [email protected]
U.S. District Court Judge James L Robart also gave Microsoft the right to lock up 50,000 domain names and IP addresses that had been used by Rustock to infect other machines. The addresses would be removed from circulation for the next two years, Robart ruled.