Microsoft takes down Kelihos botnet

Microsoft revealed today that it has asked the US Court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the Kelihos botnet. This takedown will be the first time Microsoft has named a defendant in one of its civil cases involving a botnet.

"Building on the recent successes of the Rustock and Waledac botnet takedowns, I'm pleased to announce that Microsoft has taken down the Kelihos botnet in an operation codenamed "Operation b79" using similar legal and technical measures that resulted in our previous successful botnet takedowns," Microsoft's Digital Crimes Unit Senior Attorney Richard Boscovich stated.

Microsoft is accusing Dominique Alexander Piatti, dotFree Group SRO, and John Does 1-22 of owning a domain cz.cc and using it to register other subdomains such as lewgdooi.cz.zz. These domains were used to control and operate the Kelihos botnet.

"Our investigation showed that while some of the defendant's subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities. For instance, our investigation revealed that in addition to hosting Kelihos, defendants' cz.cc domain has previously been investigated for hosting subdomains responsible for delivering MacDefender, a type of scareware that infects Apple's operating system. Also, in May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem," Microsoft stated.

Just like the Rustock botnet, Kelihos also had spam messages that promoted potentially dangerous counterfeit or unapproved pharmaceuticals from unlicensed and unregulated online drug sellers. "Kelihos also abused Microsoft's Hotmail accounts and Windows operating system to carry out these illegal activities," Microsoft added.

This was Microsoft third botnet that it has taken down in a project called MARS (Microsoft Active Response for Security). This project is run by the company's Digital Crimes Unit and the Malware Protection Center as well as the Trustworthy Computing Team. As Microsoft puts it, they are here to "annihilate botnets and advance the security of the Internet for everyone."