Microsoft Hits Domain Provider in Kelihos Botnet Battle

Wednesday, September 28, 2011



Microsoft continues its battle against spam-spewing botnet legions with another foray into uncharted territory by again using the power of the federal courts to bring down the command and control servers of a growing offender know as Kelihos.

Microsoft obtained a court order to force Verisign to pull the plug on twenty-one domains associated with the Kelihos botnet spamming operation, which is believed to be controlling nearly fifty-thousand zombie machines.

"These were domains either directly or though subdomains, that were actually being utilized to point computers to command and control websites for the Kelihos botnet," said Microsoft's digital crimes unit attorney Richard Boscovich, according to an article by Robert McMillan of IDG News.

Microsoft had played a key role in efforts to shut down the Waledac botnet in 2010 , though the operation is continued functioning at a diminished capacity, and some believe the Kelihos botnet may have been its resurgence.

"We wanted to take it out early enough so that number one, it wouldn't grow and propagate... but also to make the point that when a threat is down, it's going to stay down. I think we made that point pretty effectively in this particular operation," Boscovich said.

Microsoft Corp. was also instrumental in the Rustock botnet takedown. In February of this year, Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.

Acting on the information Microsoft provided, federal marshals raided several internet hosting providers across the U.S. in March of this year, seizing servers suspected of being used as Rustock command and control units.

The raids seemed to have had an immediate impact in the reduction of spam distribution, but it is likely that the Rustock botnet will re-emerge at some point given the number of companies willing to provide hosting services for botnet command and control operations.

"There's a huge amount of abuse going on on those subdomains. The bad guys select whichever domain is cheapest and most reliable. Some of these domain owners are extremely slow in responding to abuse issues," said Kaspersky Lab researcher Roel Schouwenberg.


Possibly Related Articles:
Microsoft SPAM Botnets VeriSign Rustock Courts Kelihos Waledac
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.