Microsoft Strikes Domain Provider to Take Down Botnet
Microsoft has shut down the Kelihos botnet, billed as the successor to Waledec.
Using the same technique as with the takedowns of the Rustock and Waledac botnets, Microsoft asked a US court to order Verisign to shut down 21 domains associated with the servers that form the heart of the Kilihos botnet.
Richard Boscovich, an attorney with Microsoft's digital crimes unit said "These were domains either directly or through subdomains, that were actually being utilised to point computers to command and control websites for the Kelihos botnet."
Kelihos is a small botnet with between 42,000 and 45,000 infected computers. Despite its size it was generating almost 4 billion spam messages per day. The junk mail was related to illegal pharmaceuticals, malicious software, pornography and stock scams.
It was important for Microsoft to take the botnet out early so that "it wouldn't grow and propagate, but also to make the point that when a threat is down, it's going to stay down," Boscovich said.
The one domain not anonymously registered in the Bahamas was cz.cc, owned by Dominique Piatti who runs Dotfree Group, a domain name business, in the Czech Republic.
"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovich said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."
The order for Verisign to take down the domains was issued on September 22, but was sealed until Monday when Piatti was served with a court summons.
The cz.cc domain has previously hosted malicious sites used to trick Mac users into thinking they need to buy a bogus security program called MacDefender.
These subdomain hosting companies, which usually offer free domain name registration, are notorious for being a haven for spam sites. Earlier this year Google took the co.cc domain out of its index affecting thousands of subdomains, the majority of which were spam. In doing this Google removed spam results from their index but it is only through removing them from the internet completely that they are completely stopped.
Return to security news headlines
View Security News Archive