Continuing its legal assault on botnet operators and the hosting companies that the criminals use for their activities, Microsoft has announced new actions against a group of people it contends are responsible for the operation of the Kelihos botnet. The company has also helped to take down the botnet itself and says that Kelihos’s operators were using it not only to send out spam and steal personal information but also for some more nefarious purposes.
Kelihos, which is sometimes grouped in with the more well-known Waledac botnet, is a fairly small botnet, at an estimated 41,000 machines, but Microsoft officials said that the network was being used for a large variety of activities, including child pornography. Microsoft on Tuesday notified the defendants in the civil cases it has filed in relation to the Kelihos botnet and last week the company also got a temporary restraining order in federal court in Virginia against a man in the Czech Republic named Dominique Alexander Piatti and 22 unnamed people in connection with the operation of the botnet.
“On Sept. 22nd, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22. The court granted our request, allowing us to sever the known connections between the Kelihos botnet and the individual “zombie computers” under its control. Immediately following the takedown on Sept. 26th, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible. We are also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet,” Richard Boscovich, senior attorney in Microsoft’s Digital Crimes Unit, said in a blog post on the takedown operation.
The restraining order allowed Microsoft to disable the IP addresses and domains involved in the Kelihos botnet’s operation without notifying the alleged operators in advance. The botnet comprised just two IP addresses running the command-and-control servers and 21 separate domains. In its petition for the restraining order, Microsoft said that Kelihos-infected machines sent out huge volumes of spam, including the typical stock and pharmaceutical scams, but also some messages that appear to promote sites engaged in child pornography.
This is the latest in a series of similar actions that Microsoft’s Digital Crimes Unit has initiated against botnets in the last couple of years. In March the company and researchers from FireEye took down the Rustock botnet, which was a much larger and more disruptive network than Kelihos. A year earlier, Microsoft helped take down the Waledac botnet with similar tactics.
But the takedown of Kelihos and the related legal action is different from previous operations in that not only is Microsoft going after the botnet domains and IP addresses, but it is naming the person that it considers to be responsible for the operation of the network. Boscovich also said in his blog post that Microsoft hopes the Kelihos takedown will send a message to botnet operators and hosting providers about the company’s seriousness in addressing the problem.
“Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers. Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime,” Boscovich wrote.