Microsoft Does it Again, Takes Down Kelihos Botnet

On 2011-09-27, Microsoft announced that the Digital Crimes Unit successfully ended the Kelihos botnet, also known as the Waledac 2.0 botnet, and served notice against some of the alleged perpetrators. Dominique Alexander Piatti, the dotFREE Group SRO, and twenty-two John Doe defendants are all alleged to be in control of the botnet and the Internet domains used to control it.

Operation b79 is the codename assigned to the investigation, the third major initiative of Project MARS, the Microsoft Active Response for Security program. The DCU worked closely with the Trustworthy Computing Team and Malware Protection Center to combat botnets, which benefits the entire Internet community; not just Microsoft’s customers. Kelihos may not have been as large as Waledac, but with an estimated 41,000 compromised hosts, it was capable of sending out over 3.8 billion spam messages a day. Kelihos was spreading, which means that this takedown probably prevented a larger problem from happening.

The DCU gathered enough evidence against the defendants to obtain an ex parte temporary restraining order, which was issued by the US District Court for the Eastern District of Virginia. Kyrus Tech, Inc., a declarant in this action, is based within that jurisdiction. The restraining order enabled the severing of connections between infected computers and the command and control servers hosted within the cz.cc domains.

Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline. Work is ongoing to identify and serve the other twenty-two defendants.

Microsoft’s Digital Crimes Unit (DCU) analyzed the Kelihos code, and identified large segments of the code in common with Waledac. This indicates that both were developed by the same author(s), or that Kelihos is an updated version of Waledac. The DCU also determined through their investigation that Piatti and the dotFREE Group SRO, along with others, own the cz.cc and subdomains including lewgdooi.cz.cc, and were using them to control the Kelihos botnet. These and other subdomains are associated with other suspect activities, including the delivery of the MacDefender scareware that infected computers running Apple’s operating system. Google had also previously blocked domains under cz.cc from search results because the websites were hosting various types of malware.

Notices of civil court proceedings were served to Piatti the same day. While Kelihos was not as massive a botnet as Waledac, this represents the first time that a named defendant was served notice the same day as the botnet was taken offline.

You can read more about the DCU investigation, and the legal actions taken against the defendants at http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx.

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.

0 Comments

  1. Alan Manders · September 29, 2011

    I am extremely pleased with Microsoft for handling these issues as quickly and effectively as they do, but does anybody else find it out that it’s falling into the hands of a commercial entity rather than a civic one to handle the dismantling of these criminal groups?

  2. Trive Owens · September 30, 2011

    It’s nice that Microsoft has done it again. But honestly, I’m not that impressed. The Internet has still 180 billion spam messages roaming around the Web everyday. Why has Microsoft and other tech giants have not trimmed down spam activities to less than 50 percent?

    We can’t completely eradicate spam – this is the reality. But it would be worth trying to cut them down completely – and not just a mere 3.8 billion spam messages a day.

  3. Casper Manes · September 30, 2011

    Alan,
    Frankly, I’m kind of glad MS is doing this instead of law enforcement…think of the tax$ saved.

    Trive,
    I think the biggest problem with 180b other messages is that there 10^3 to 10^5 induhviduals out there sending them. Taking out the big fish might be low hanging fruit, but they are a realistic target, and a start.

Leave A Reply