Cougar Alerts‎ > ‎

Microsoft takes down Kelihos botnet

posted Sep 30, 2011, 7:29 AM by Phillip Armstrong   [ updated Sep 30, 2011, 7:32 AM ]
Kelihos, thought to have infected around 41,000 computers across the globe, is dealt with.

Microsoft has announced another success in its drive to take down botnets. The company used “legal and technical measures” in “Operation b67” as it was codenamed (hmm, snappy moniker – ed), to take down the Kelihos botnet. Kelihos is not as big as the Rustock botnet, but MS says that its takedown “represents a significant advance” in their fight. This is because it’s the first time that MS has “named a defendant in one of its civil cases involving a botnet”. This, they say, sends a “strong message” to botnet creators and controllers and should they attempt to rebuild the botnet then further action will always be taken.

The civil case alleges that Dominique Piatti and John Does owned a domain which they used to register subdomains in order to operate Kelihos. Whilst MS say that some were used for legitimate reasons, many were being used “for questionable purposes with links to a variety of disreputable online activities.” This includes one which hosted the scareware MacDefender, which infects Apple’s OS with rogue software. However, the main purpose of many of their subdomains was to control the botnet, which was used for a variety of purposes including spam, stealing information, stock scams and “websites promoting the sexual exploitation of children.” MS obtained a restraining order on September 22nd which allowed them to cut the connections between the botnet and the zombie computers it controlled.

They then served Piatti, who lives in the Czech Republic, with notice of the suit and are now attempting to locate the other John Does in order to serve them too. MS says that actually naming a defendant is a “big step forward” as it helps them to protect customers and the MS platform. It also goes some way to making domain providers aware that they should know more about their customers and their activities. They also hope that this will raise the cost of cybercrime to the criminal, making it harder for them to start up and operate, therefore reducing the problem.

MS also point out that more regulation is needed in the industry to ensure that domain owners can be held accountable if subdomains are being used for illegal purposes. Kelihos is thought to have infected around 41,000 computers across the globe, even though it is considered to be a relatively small botnet. MS says that it will work with ISPs and Community Emergency Response Teams (CERTs) to clean up computers which are infected with botnet malware.

They have already added the Win/32 Kelihos family to the latest release of the Malicious Software Removal Tool.

Courtesy of