Microsoft has pulled off its third technical and legal botnet takedown, this time aimed at the Kelihos botnet and a domain responsible for the recent spate of MacDefender malware attacks on Mac users.
Relying on the legal same mechanisms it used to physically takedown the much larger Waladec and Rustock botnets earlier this year, last week Microsoft was granted an “ex parte” restraining order by a US court.
Unlike the previous takedowns, the defendants were on Monday morning Central Europe time personally notified of the action, according to Microsoft.
Redmond accused Czech resident Dominique Alexander Piatti, dotFree Group SRO and 22 John Does of operating the domain cz.cc to register other subdomains that were used to control Kelihos.
The subdomains were found to have hosted the nefarious fake Mac antivirus malware, MacDefender, responsible for netting enough Mac users that it reportedly caused a huge spike in Apple’s support calls.
Although the botnet only had 41,000 “zombies” or infected computers under its control, Microsoft’s investigations found it was capable of sending firing 3.8 billion spam emails per day.
The operators built the botnet by infecting victims’ computers with socially engineered and rigged e-cards, it said.
“We took this action before the botnet had an opportunity to grow further and because we believe accountability is important,” said Richard Domingues Boscovich, a senior attorney for Microsoft’s Digital Crimes Unit.
The Kelihos botnet’s prime activities revolved around sending spam that promoted fraudulent stock scams, adult websites, counterfeit goods and child pornography.
Its command and control centre relied on two IP addreses and 21 domains, according to Microsoft’s complaint.
“The purpose of the 2 IP address and 21 Internet domains that make up the Kelihos Command and Control servers is to await requests from Kelihos-infected computers and instruct them on how to control communication with each othehr and to infect new user computers,” its complaint stated.
At the time of being served, Piatti had been living and operating his business in the Czech Republic, according to Microsoft. His web subdomain business also supported legitimate businesses, apparently also affected by the take down efforts.
The purpose of naming the accused was to “raise the cost” of committing cybercrime and give service providers such as Piatti a reason to know their customers, according to Boscovich.
“Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers.
“Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight,” he said.