Building on the recent successes of the Rustock and Waledac botnet takedowns, I’m pleased to announce that Microsoft has taken down the Kelihos botnet in an operation codenamed “Operation b79” using similar legal and technical measures that resulted in our previous successful botnet takedowns.
Kelihos, also known by some as “Waledac 2.0” given its suspected ties to the first botnet Microsoft took down, is not as massive as the Rustock spambot. However, this takedown represents a significant advance in Microsoft’s fight against botnets nonetheless. This takedown will be the first time Microsoft has named a defendant in one of its civil cases involving a botnet and as of approximately 8:15 a.m. Central Europe time on Sept. 26th, the defendants were personally notified of the action.
The Kelihos takedown is intended to send a strong message to those behind botnets that it’s unwise for them to simply try to update their code and rebuild a botnet once we’ve dismantled it. When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold botherders accountable for their actions.
In the complaint, Microsoft alleges that Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet. Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities.
For instance, our investigation revealed that in addition to hosting Kelihos, defendants’ cz.cc domain has previously been investigated for hosting subdomains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system. Also, in May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem.
Microsoft also alleges that Dominique Alexander Piatti, dotFREE Group SRO and the John Doe defendants committed some of the same violations made in the successful legal cases against the operators of the Waledac and Rustock botnets. Kelihos infected Internet users’ computers with malicious software which allowed the botnet to surreptitiously control a person’s computer and use it for a variety of illegal activities, including sending out billions of spam messages, harvesting users’ personal information (such as e-mails and passwords), fraudulent stock scams and, in some instances, websites promoting the sexual exploitation of children.
Similar to Rustock, some of the spam messages also promoted potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.
On Sept. 22nd, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22. The court granted our request, allowing us to sever the known connections between the Kelihos botnet and the individual “zombie computers” under its control. Immediately following the takedown on Sept. 26th, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible. We are also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet.
Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate. Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers. Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime.
Additionally, this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.
Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.
The takedown of the Kelihos botnet represents an important element in our botnet fighting efforts. Microsoft’s analysis of the Kelihos botnet showed large portions of Kelihos code were shared with Waledac, which suggested that Kelihos was either from the same parties or that the code was obtained, updated and reused. Once we learned of the apparent relationship to Waledac, we immediately began developing a plan to take out Kelihos using similar technical measures.
Although, Kelihos was considered a relatively small botnet (our investigations to date indicate that approximately 41,000 computers worldwide are infected with Kelihos, and that Kelihos was capable of sending 3.8 billion spam e-mails per day) and we do not expect its disruption to have the breadth of impact on the Internet that our prior takedowns did, we took this action before the botnet had an opportunity to grow further and because we believe accountability is important.
Cleaning up computers infected with the botnet malware is also a very important part of every Microsoft botnet takedown operation, and we are planning to work with Internet Service Providers (ISPs) and Community Emergency Response Teams (CERTs) to repair the damage caused by Kelihos as we have with Rustock and Waledac. To help assist in that process, the Microsoft Malware Protection Center will add the Win/32 Kelihos family in a second release of the Malicious Software Removal Tool later today to help minimize the malware’s future impact. And, as we have since the beginning of our botnet takedown initiative, we continue to provide free tools and information to help customers clean and regain control of their computers at http://support.microsoft.com/botnets.
Operation b79 is Microsoft’s third Project MARS (Microsoft Active Response for Security) initiative. Project MARS is a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. We learn important new information about the global botnet threat during every takedown, and we will continue to share threat intelligence gained in this effort with customers, partners and the global community to further disrupt cybercrime worldwide.
Taking down botnets requires a collaborative effort and no single organization can do it alone. We would like to thank everyone who helped support this and prior takedowns, including Kyrus Tech Inc., which served as a declarant in the legal case that enabled this takedown.
Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit