Microsoft takes down Waledac spin-off

SOFTWARE GIANT Microsoft is patting itself on the back for taking down yet another botnet through legal and technical means. Called Kelihos, the newly neutralized army of zombie computers was capable of sending 3.8 billion of spam e-mails daily.

Kelihos is the third botnet after Waledac and Rustock to be targeted by Microsoft through its Project MARS (Microsoft Active Response for Security) initiative.

Kelihos is actually a spin-off of Waledac, using the same fast-flux techniques as that earlier and now-defunct botnet and sharing large portions of its code.

Even though Kelihos is considerably smaller, being made up of only 41,000 infected computers, Microsoft sees the takedown as significant because it was able for the first time to actually name a defendant in such a case.

In its complaint, Microsoft claims that Alexander Piatti and his Dotfree Group SRO company that operates the cz.cc second-level domain (SLD) registration service are responsible for creating Kelihos command and control (C&C) hosts.

"Our investigation showed that while some of the defendant's subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities," said Richard Domingues Boscovich, a senior attorney with Microsoft's Digital Crimes Unit.

The cz.cc service allows users to freely register up to five subdomains. Because most of these hosts were being used in cybercriminal operations, including the distribution of Macdefender malware earlier this year, Google banned the SLD provider from its search engine.

Last week Microsoft obtained a temporary restraining order from the US District Court for the Eastern District of Virginia that allowed it to sever the connections between Kelihos C&C servers and infected computers.

"Immediately following the takedown on Sept. 26th, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible," Boscovich revealed.

It's worth pointing out that at the time of writing Dotfree Group's website and that of the cz.cc SLD registration service are both offline.

To help clean Kelihos-infected computers Microsoft has released a new version of its Malicious Software Removal Tool (MSRT) today that contains detection for the malware family.

"This case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime," Microsoft's senior attorney concluded. µ