Microsoft revealed on Tuesday that it has successfully completed yet another botnet takedown.
The software giant has taken down the Kelihos botnet in an operation codenamed “Operation b79″. Microsoft used the same tactics and legal powers that it used in the Waledac and Rustock botnet takedowns. Kelihos is often referred to as “Waledac 2.0″ thanks to its close ties with the original Waledac botnet. The takedown marks the first time that Microsoft has named a defendant in one of its civil cases involving botnet operators. The suspected Kelihos botnet operators were informed at 8:15AM Central European Time (CET) on September 26.
“The Kelihos takedown is intended to send a strong message to those behind botnets that it’s unwise for them to simply try to update their code and rebuild a botnet once we’ve dismantled it,” said Microsoft Digital Crimes Unit Senior Attorney Richard Domingues Boscovich in a blog post on Tuesday. “When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold botherders accountable for their actions.”
Microsoft alleges that Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 owned the domain cz.cc and used cz.cc to operate and control the Kelihos botnet. “Our investigation revealed that in addition to hosting Kelihos, defendants’ cz.cc domain has previously been investigated for hosting subdomains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system,” revealed Boscovich. Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against the alleged Kelihos botnet operators. The court granted Microsoft’s request and the company was able to take the botnet down on September 26.
“Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate,” says Boscovich. Microsoft notes that approximately 41,000 computers worldwide are infected with Kelihos and that the botnet was capable of sending 3.8 billion spam emails per day. “We do not expect its disruption to have the breadth of impact on the Internet that our prior takedowns did, we took this action before the botnet had an opportunity to grow further and because we believe accountability is important,” says Boscovich.
Microsoft has previously crippled the Rustock and Waledac botnet spam networks. Early last year Microsoft announced, that together with industry partners, it had executed a major botnet takedown of Waledac, a large and well-known “spambot”. At the time the software giant said it was looking to be “even more creative and aggressive in the fight against botnets and all forms of cybercrime.” Microsoft’s second botnet takedown, the Rustock botnet, was the largest source of spam in the world, consisting of around 150,000 machines sending around 30 billion spam email messages each day.
Botnets are networks of compromised computers controlled by “bot herders” or “bot masters” that use the thousands (sometimes millions) of compromised Windows machines to distribute adware, spyware, spam emails and launch DDoS attacks. Botnets are typically installed onto end users machines by web browser vulnerabilities, worms, Trojan horses, or backdoors. A “bot master” will then control the machines by IRC commands to launch attacks or send email spam.