Threat Management, Malware, Network Security, Security Strategy, Plan, Budget

Microsoft disrupts Kelihos botnet, names alleged mastermind

On the heels of winning its civil case against the operators of Rustock, Microsoft on Tuesday announced the takedown of another botnet, this one comprised of tens of thousands of nodes.

The Kelihos botnet, made up of approximately 41,000 infected computers worldwide, was capable of sending 3.8 billion spam emails per day, Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit, said in a Tuesday blog post.

The botnet was used to steal users' personal information and promote everything from counterfeit and unapproved generic drugs to fraudulent stock scams to sites promoting the sexual exploitation of children.

To dismantle Kelihos, Microsoft asked the U.S. District Court in Richmond to order the shutdown of 21 domains acting as the botnet's command-and-control servers. The takedown, dubbed “Operation b79,” severed connections between the botnet and the individual zombie machines under its control.

Microsoft alleges that Dominique Alexander Piatti, who is believed to be living in the Czech Republic, controlled the botnet, according to a complaint filed last week. This is the first time Microsoft has actually named a defendant in one of its civil cases involving a botnet.

The complaint also names 22 anonymous co-defendants, as well as Piatti's Czech-based domain name company, dotFREE Group SRO.

Microsoft alleges that Piatti and the other defendants own the top-level internet domain, and used it to register subdomains that were used to operate and control the botnet. Beyond hosting Kelihos, also hosted subdomains used to deliver malware, including MacDefender, a type of scareware that targets Apple's operating system, Microsoft contended.

Boscovich said he hopes the case shines light on what he terms an “industry-wide” problem involving subdomains.

“There are currently no requirements necessitating domain hosts to know anything about the people using their subdomains – making it easy for domain owners to look the other way,” he wrote.

The disassembly follows similar actions to disrupt the Waledac and Rustock botnets, though Kelihos is considered to be much smaller than the other two.

Kelihos, meanwhile, is believed to be associated with Waledac, earning it the nickname “Waledac 2.0.”

“Large portions of Kelihos code were shared with Waledac, which suggested that Kelihos was either from the same parties, or that the code was obtained, updated and reused,” Boscovich wrote. “Once we learned of the apparent relationship to Waledac, we immediately began developing a plan to take out Kelihos using similar technical measures.”

Piatti could not be reached by on Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.