Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft kills a botnet after striking domain provider

Microsoft has taken the Kelihos botnet offline and shut down the cz.cc subdomains

Article comments

Microsoft has opened a front in its ongoing battle against internet scammers, using the power of an American court to deal a knockout blow to an emerging botnet and taking offline a provider of free internet domains.

Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a US court to order Verisign to shut down 21 internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

"These were domains either directly or though subdomains, that were actually being utilised to point computers to command and control websites for the Kelihos botnet," said Richard Boscovich, an attorney with Microsoft's digital crimes unit.

With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day - junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals.

'Take it out early'

The idea of a highly disruptive botnet that Microsoft shut down in February 2010 quietly resurfacing under a different name didn't sit too well with Microsoft's digital crimes unit. "We wanted to take it out early enough so that number one, it wouldn't grow and propagate, but also to make the point that when a threat is down, it's going to stay down," Boscovich said. "I think we made that point pretty effectively in this particular operation."

All but one of the internet domains that Microsoft took offline are anonymously registered in the Bahamas, but one domain cz.cc is owned by Dominique Piatti who runs a domain name business called Dotfree Group out of the Czech Republic.

"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovich said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."

Bogus history for cz.cc

Microsoft got the order from the US District Court for the Eastern District of Virginia, Alexandria Division, telling top-level domain registrar Verisign to take down the domains, on September 22, but it was sealed until Monday, when Piatti was served with a court summons in the case by Microsoft lawyers in the Czech Republic. The site take down occurred just after midnight, Pacific Time, on Monday.

Malicious sites on the cz.cc domain had previously been used to trick Macintosh users into thinking they needed to buy a bogus security program, called MacDefender.

Security experts say that many of these subdomain hosting companies, which typically offer free domain-name registration, have opened up a lawless frontier on the internet where nearly anything goes. "There's a huge amount of abuse going on on those subdomains," said Roel Schouwenberg, a researcher with security vendor Kaspersky Lab. "The bad guys select whichever domain is cheapest and most reliable," he added. "Some of these domain owners are extremely slow in responding to abuse issues."

Subdomains blocked

Scammers had used a series of ingenious tricks to game Google's image search feature and spread the MacDefender malware using bulk subdomains, said Sean Sullivan, a security adviser with F-Secure. Sullivan's company automatically blocks the ce.ms, cu.cc, cw.cm, cx.cc, rr.nu, vv.cc, and cz.cc domains with its security software, he added.

In June, Google blocked a number of bulk subdomain sites from its search index, saying that many of them had been used by criminals. "In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," Google revealed.

But Piatti was unable to comment. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *