Microsoft Takes Down Kelihos Botnet

Continuing its legal assault on botnet operators and the hosting companies that the criminals use for their activities, Microsoft has announced new actions against a group of people it contends are responsible for the operation of the Kelihos botnet. The company has also helped to take down the botnet itself and says that Kelihos’s operators were using it not only to send out spam and steal personal information but also for some more nefarious purposes.

KelihosContinuing its legal assault on botnet operators and the hosting companies that the criminals use for their activities, Microsoft has announced new actions against a group of people it contends are responsible for the operation of the Kelihos botnet. The company has also helped to take down the botnet itself and says that Kelihos’s operators were using it not only to send out spam and steal personal information but also for some more nefarious purposes.

Kelihos, which is sometimes grouped in with the more well-known Waledac botnet, is a fairly small botnet, at an estimated 41,000 machines, but Microsoft officials said that the network was being used for a large variety of activities, including child pornography. Microsoft on Tuesday notified the defendants in the civil cases it has filed in relation to the Kelihos botnet and last week the company also got a temporary restraining order in federal court in Virginia against a man in the Czech Republic named Dominique Alexander Piatti and 22 unnamed people in connection with the operation of the botnet.

“On Sept. 22nd, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22. The court granted our request, allowing us to sever the known connections between the Kelihos botnet and the individual “zombie computers” under its control. Immediately following the takedown on Sept. 26th, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible. We are also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet,” Richard Boscovich, senior attorney in Microsoft’s Digital Crimes Unit, said in a blog post on the takedown operation.

The restraining order allowed Microsoft to disable the IP addresses and domains involved in the Kelihos botnet’s operation without notifying the alleged operators in advance. The botnet comprised just two IP addresses running the command-and-control servers and 21 separate domains. In its petition for the restraining order, Microsoft said that Kelihos-infected machines sent out huge volumes of spam, including the typical stock and pharmaceutical scams, but also some messages that appear to promote sites engaged in child pornography.

This is the latest in a series of similar actions that Microsoft’s Digital Crimes Unit has initiated against botnets in the last couple of years. In March the company and researchers from FireEye took down the Rustock botnet, which was a much larger and more disruptive network than Kelihos. A year earlier, Microsoft helped take down the Waledac botnet with similar tactics.

But the takedown of Kelihos and the related legal action is different from previous operations in that not only is Microsoft going after the botnet domains and IP addresses, but it is naming the person that it considers to be responsible for the operation of the network. Boscovich also said in his blog post that Microsoft hopes the Kelihos takedown will send a message to botnet operators and hosting providers about the company’s seriousness in addressing the problem.

“Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers. Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime,” Boscovich wrote.

Suggested articles

Discussion

  • DanL on

    It is good, but much better would be not to sell a product unsecure and full of bugs. All these botnets exploiting conceptual flaws of the product. If the same thing would happen with another product, such as a car, the manufacturer would have been guilty. Shame on Microsoft!

     

  • RAWoD on

    Holes in an operating system or applications provide one way that botnet builders use.  Sadly, the more frequently used infection seems to be via the weakest part of the man / machine relationship -- the man.  How many times have you assumed a hyperlink just takes you to where you want to go?  Just because the link says "rewards.com" doesn't mean jack.

  • Anonymous on

    To RAWoD's point, SPAM is not so much about exploiting a flaw in an OS as it is about exploiting the flaw in human nature. Mass SPAM is sent out to e-mail addresses without regard to receiving OS, if the end user chooses to react to that SPAM either by clicking a link to an infected site or embedded malicious code then the issue shifts to OS. However, some SPAM merely relies on the user's own culpability to give up their Credit Card number in exchange for a non-existant product. If 1 out of every 5,000 e-mails generates a paid response then the spammer has made money due to the low cost associated with sending out the SPAM the SPAM.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.