Striking a domain provider, Microsoft kills off a botnet

Microsoft has taken the Kelihos botnet offline and shut down the cz.cc subdomains

Microsoft has opened a front in its ongoing battle against Internet scammers, using the power of a U.S. court to deal a knockout blow to an emerging botnet and taking offline a provider of free Internet domains.

Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

"These were domains either directly or though subdomains, that were actually being utilized to point computers to command and control websites for the Kelihos botnet," said Richard Boscovich, an attorney with Microsoft's digital crimes unit.

With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day -- junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals.

The idea of a highly disruptive botnet that Microsoft shut down in February 2010 quietly resurfacing under a different name didn't sit too well with Microsoft's digital crimes unit. "We wanted to take it out early enough so that number one, it wouldn't grow and propagate ... but also to make the point that when a threat is down, it's going to stay down," Boscovitch said. "I think we made that point pretty effectively in this particular operation."

All but one of the Internet domains that Microsoft took offline are anonymously registered in the Bahamas, but one domain cz.cc is owned by Dominique Piatti who runs a domain name business called Dotfree Group out of the Czech Republic.

"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovitch said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."

Microsoft got the order from the U.S. District Court for the Eastern District of Virginia, Alexandria Division, telling top-level domain registrar Verisign to take down the domains, on Sept. 22, but it was sealed until Monday, when Piatti was served with a court summons in the case by Microsoft lawyers in the Czech Republic. The site take down occurred just after midnight, Pacific Time, Monday.

Malicious sites on the cz.cc domain had previously been used to trick Macintosh users into thinking they needed to buy a bogus security program, called MacDefender.

Security experts say that many of these subdomain hosting companies, which typically offer free domain-name registration, have opened up a lawless frontier on the Internet where nearly anything goes. "There's a huge amount of abuse going on on those subdomains," said Roel Schouwenberg, a researcher with security vendor Kaspersky Lab. "The bad guys select whichever domain is cheapest and most reliable," he added. "Some of these domain owners are extremely slow in responding to abuse issues."

Scammers had used a series of ingenious tricks to game Google's image search feature and spread the Mac Defender malware using bulk subdomains, said Sean Sullivan, a security adviser with F-Secure. Sullivan's company automatically blocks the ce.ms, cu.cc, cw.cm, cx.cc, rr.nu, vv.cc, and cz.cc domains with its security software, he added.

In June, Google blocked a number of bulk subdomain sites from its search index, saying that many of them had been used by criminals. "In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," Google wrote in a blog post announcing the decision.

Reached Tuesday, Piatti was unable to comment for this story. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said in an email.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecuritylegalDotfree Groupinternetmalwarecybercrime

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?