Microsoft has confirmed its second major botnet takedown this year.
While it acknowledged that the ‘Kelihos' botnet was not as big as Rustock, the takedown operation was similar and a defendant has been personally notified of the action.
According to Richard Domingues Boscovich, senior attorney at the Microsoft Digital Crimes Unit, the Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once it has been dismantled.
“When Microsoft takes a botnet down, we intend to keep it down and we will continue to take action to protect our customers and platforms and hold bot herders accountable for their actions,” he said.
Kelihos primarily sent out the MacDefender virus, which opens web pages for pornographic websites in an infected user's web browser every few minutes, convincing users that they are infected by a virus and that paying for the fake anti-virus software would relieve them of the problem.
Spam also included counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers.
The defendant was named as Dominique Alexander Piatti, who was resident in the Czech Republic, and discussions have begun with him to determine which of his subdomains were being used for legitimate business.
Boscovich said: “Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate.
“Naming these defendants also helps expose how cyber crime is enabled when domain providers and other cyber infrastructure providers fail to know their customers.
“Without a domain infrastructure like the one allegedly hosted by Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter, and raise the cost of committing, cyber crime.”
Kelihos was considered to be a relatively small botnet, with Microsoft's investigation indicating that approximately 41,000 computers were infected globally, and it was capable of sending 3.8 billion spam emails per day.
Boscovich said: “Cleaning up computers infected with the botnet malware is also a very important part of every Microsoft botnet takedown operation; we are planning to work with Internet Service Providers and Community Emergency Response Teams to repair the damage caused by Kelihos, as we have with Rustock and Waledac.
“To help assist in that process, the Microsoft Malware Protection Center will add the Win/32 Kelihos family in a second release of the Malicious Software Removal Tool later today to help minimise the malware's future impact.”
Involved with the takedown was Kaspersky Lab, which said it reverse-engineered the bot malware, cracked the communication protocol and developed tools to attack the peer-to-peer infrastructure.
Kaspersky Lab's Tillmann Werner said: “It's important to understand that the botnet still exists, but it's being controlled by Kaspersky Lab. In tandem with Microsoft's move to the US court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute.
“The main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines.
“We expect that the number of machines hitting our sinkhole will slowly decrease over time as computers get cleaned and reinstalled. In the past 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.”