Microsoft Takes Down Kelihos Botnet - Names Perp
In a first, Microsoft and authorities have not only taken down a dangerous "botnet" but have also identified the malware's owner.
Microsoft, in the past week, successfully took down another "botnet" -- a network of "zombie" computers under the coordinated control of a malware network unbeknownst to the computers' users.
While the botnet, dubbed Kelihos and apparently run out of a domain in the Czech Republic, was still small -- about 41,000 captive PCs used to distribute malware, scareware, spams, child pornography, and other questionable content worldwide -- for the first time Microsoft (NASDAQ: MSFT) was able to identify a defendant in a civil case against botnet perpetrators.
"Building on the recent successes of the Rustock and Waledac botnet takedowns, I’m pleased to announce that Microsoft has taken down the Kelihos botnet in an operation codenamed 'Operation b79' using similar legal and technical measures that resulted in our previous successful botnet takedowns," Richard Domingues Boscovich, senior attorney in Microsoft's Digital Crimes Unit, said in a post on the The Official Microsoft Blog on Tuesday.
In past takedowns, Microsoft and authorities have been unable to actually identify the person or persons responsible for the illegal activities, even though they successfully dismembered the botnets.
In this case, the software giant filed suit against the alleged perpetrators in U.S. District Court for the Eastern District of Virginia on Sept. 22 and the court granted a restraining order letting Microsoft sever links between the Kelihos botnet and the net's zombies -- thus taking down the net.
"Immediately following the takedown on Sept. 26, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO [and 22 other 'John Does'], with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible," Boscovich said.
Why is naming potential defendants important?
"Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight," the post said. "Through this case, we hope to demonstrate that if domain owners don't hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure."
In the meantime, Microsoft is in the process of upgrading its Malicious Software Removal Tool to identify and remove the botnet software from infected PCs.
July 18, 2011
The reward is available to anyone offering new information that results in the arrest and conviction of the botnet's operators.