Microsoft spikes third botnet and Mac fake AV host

Unlike the previous takedowns, the defendants were on Monday morning Central Europe time personally notified of the action

Microsoft has pulled off its third technical and legal botnet takedown, this time aimed at the Kelihos botnet and a domain responsible for the recent spate of MacDefender malware attacks on Mac users.

Relying on the legal same mechanisms it used to physically takedown the much larger Waladec and Rustock botnets earlier this year, last week Microsoft was granted an “ex parte” restraining order by a US court.

Unlike the previous takedowns, the defendants were on Monday morning Central Europe time personally notified of the action, according to Microsoft.

Redmond accused Czech resident Dominique Alexander Piatti, dotFree Group SRO and 22 John Does of operating the domain to register other subdomains that were used to control Kelihos.

The subdomains were found to have hosted the nefarious fake Mac antivirus malware,  MacDefender, responsible for netting enough Mac users that it reportedly caused a huge spike in Apple’s support calls.

Although the botnet only had 41,000 “zombies” or infected computers under its control, Microsoft’s investigations found it was capable of sending firing 3.8 billion spam emails per day.

The operators built the botnet by infecting victims’ computers with socially engineered and rigged e-cards, it said.

“We took this action before the botnet had an opportunity to grow further and because we believe accountability is important,” said Richard Domingues Boscovich, a senior attorney for Microsoft’s Digital Crimes Unit.

The Kelihos botnet’s prime activities revolved around sending spam that promoted fraudulent stock scams, adult websites, counterfeit goods and child pornography.

Its command and control centre relied on two IP addreses and 21 domains, according to Microsoft’s complaint.

“The purpose of the 2 IP address and 21 Internet domains that make up the Kelihos Command and Control servers is to await requests from Kelihos-infected computers and instruct them on how to control communication with each othehr and to infect new user computers,” its complaint stated.

At the time of being served, Piatti had been living and operating his business in the Czech Republic, according to Microsoft. His web subdomain business also supported legitimate businesses, apparently also affected by the take down efforts.  

The purpose of naming the accused was to “raise the cost” of committing cybercrime and give service providers such as Piatti a reason to know their customers, according to  Boscovich.

“Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers.

“Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight,” he said.  

Join the CSO newsletter!

Error: Please check your email address.

Tags spamMicrosoft botnetMicrosoftRedmondMac userscybercrimeantivirus malwaremalware attacksMadefenderApple

More about AppleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts