Microsoft Does it Again, Takes Down Kelihos BotnetWritten by Casper Manes on September 28, 2011
On 2011-09-27, Microsoft announced that the Digital Crimes Unit successfully ended the Kelihos botnet, also known as the Waledac 2.0 botnet, and served notice against some of the alleged perpetrators. Dominique Alexander Piatti, the dotFREE Group SRO, and twenty-two John Doe defendants are all alleged to be in control of the botnet and the Internet domains used to control it.
Operation b79 is the codename assigned to the investigation, the third major initiative of Project MARS, the Microsoft Active Response for Security program. The DCU worked closely with the Trustworthy Computing Team and Malware Protection Center to combat botnets, which benefits the entire Internet community; not just Microsoft’s customers. Kelihos may not have been as large as Waledac, but with an estimated 41,000 compromised hosts, it was capable of sending out over 3.8 billion spam messages a day. Kelihos was spreading, which means that this takedown probably prevented a larger problem from happening.
The DCU gathered enough evidence against the defendants to obtain an ex parte temporary restraining order, which was issued by the US District Court for the Eastern District of Virginia. Kyrus Tech, Inc., a declarant in this action, is based within that jurisdiction. The restraining order enabled the severing of connections between infected computers and the command and control servers hosted within the cz.cc domains.
Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline. Work is ongoing to identify and serve the other twenty-two defendants.
Microsoft’s Digital Crimes Unit (DCU) analyzed the Kelihos code, and identified large segments of the code in common with Waledac. This indicates that both were developed by the same author(s), or that Kelihos is an updated version of Waledac. The DCU also determined through their investigation that Piatti and the dotFREE Group SRO, along with others, own the cz.cc and subdomains including lewgdooi.cz.cc, and were using them to control the Kelihos botnet. These and other subdomains are associated with other suspect activities, including the delivery of the MacDefender scareware that infected computers running Apple’s operating system. Google had also previously blocked domains under cz.cc from search results because the websites were hosting various types of malware.
Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline.
You can read more about the DCU investigation, and the legal actions taken against the defendants at http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx.