Microsoft halts another botnet: Kelihos

A Czech resident is accused of operating a botnet that infected tens of thousands of computers, serving spam and harvesting data. This is the third botnet Microsoft has taken down using the same legal and technical measures.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read
This image from the complaint illustrates how a bot herder uses a command-and-control server to communicate with infected computers via routers.
This image from the complaint illustrates how a bot herder uses a command-and-control server to communicate with infected computers via routers. Microsoft

Microsoft has put a halt to the Kelihos botnet and is accusing a Czech resident of hosting the botnet and using it to deliver spam and steal data, the company said today.

Kelihos, also known as "Waledac 2.0" after a previous botnet that Microsoft shut down last year, comprised about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam e-mails per day, according to Microsoft.

The complaint filed last week in the U.S. District Court for the Eastern District of Virginia accuses Dominique Alexander Piatti, Dotfree Group SRO and John Does 1-22 of infecting victim computers with malware to create the Kelihos botnet, using it to send unregulated pharmaceutical and other spam, harvest e-mails and passwords, conduct fraudulent stock scams and, in some cases, promote sites dealing with sexual exploitation of children.

Meanwhile, subdomains were allegedly used to infect Mac computers with MacDefender scareware, according to the complaint. Piatti could not immediately be reached for comment.

In addition to filing complaints, Microsoft also is using a relatively new tactic of filing restraining orders to get court permission to sever the connections between the botnets and the individual infected computers, known as "zombies." This stops the botnet from continuing to operate and grow.

Microsoft also plans to work with ISPs and Community Emergency Response Teams (CERTs) to help clean up computers that were infected and used in the botnet. As part of that process, the Microsoft Malware Protection Center will add the Win/32 Kelihos family in a second release of the Malicious Software Removal Tool later today.

"Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime," Richard Domingues Boscovich, senior attorney with the Microsoft Digital Crimes Unit, wrote in a blog post today.

The case also highlights an industry-wide problem related to the stealth use of subdomains, he said. "Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains--making it easy for domain owners to look the other way."

This is the third botnet--following Waledac, and Rustock earlier this year--that Microsoft has taken down using these same legal and technical measures, but it's the first time a defendant has been named in one of the company's civil cases involving a botnet.