Microsoft Takes Down 'Kelihos Botnet' In Operation Codenamed "Operation b79"

Microsoft today announced the taken down of the "Kelihos botnet" in an operation codenamed "Operation b79" using similar legal and technical measures that resulted in the previous successful botnet takedowns, announced Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit."Kelihos, also known by some as "Waledac 2.0" given its suspected ties to the first botnet […]

Microsoft today announced the taken down of the "Kelihos botnet" in an operation codenamed "Operation b79" using similar legal and technical measures that resulted in the previous successful botnet takedowns, announced Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit.

"Kelihos, also known by some as "Waledac 2.0" given its suspected ties to the first botnet Microsoft took down, is not as massive as the Rustock spambot," stated Richard. Adding, "However, this takedown represents a significant advance in Microsoft's fight against botnets nonetheless. This takedown will be the first time Microsoft has named a defendant in one of its civil cases involving a botnet and as of approximately 8:15 a.m. Central Europe time on Sept. 26th, the defendants were personally notified of the action."

"Operation b79 is Microsoft's third Project MARS (Microsoft Active Response for Security) initiative. Project MARS is a program driven by the MDCU in close collaboration with the Microsoft Malware Protection Center and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. We learn important new information about the global botnet threat during every takedown, and we will continue to share threat intelligence gained in this effort with customers, partners and the global community to further disrupt cybercrime worldwide."

Richard writes "On Sept. 22nd, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22."

"The court granted our request, allowing us to sever the known connections between the Kelihos botnet and the individual "zombie computers" under its control. Immediately following the takedown on Sept. 26th, we served Dominique Alexander Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit and began discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible. We're also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet," said Richard.

Microsoft alleges that "Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet." "Our investigation showed that while some of the defendant's subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities."

"For instance, our investigation revealed that in addition to hosting Kelihos, defendants' cz.cc domain has previously been investigated for hosting subdomains responsible for delivering MacDefender, a type of scareware that infects Apple's operating system. Also, in May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem."

"Microsoft also alleges that Dominique Alexander Piatti, dotFREE Group SRO and the John Doe defendants committed some of the same violations made in the successful legal cases against the operators of the Waledac and Rustock botnets. Kelihos infected Internet users' computers with malicious software which allowed the botnet to surreptitiously control a person's computer and use it for a variety of illegal activities, including sending out billions of spam messages, harvesting users' personal information (such as e-mails and passwords), fraudulent stock scams and, in some instances, websites promoting the sexual exploitation of children," revealed Richard.