Striking a domain provider, Microsoft kills off a botnet

Microsoft has opened a front in its ongoing battle against Internet scammers, using the power of a U.S. court to deal a knockout blow to an emerging botnet and taking offline a provider of free Internet domains.

Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

"These were domains either directly or though subdomains, that were actually being utilized to point computers to command and control websites for the Kelihos botnet," said Richard Boscovich, an attorney with Microsoft's digital crimes unit.

With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day -- junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals.

The idea of a highly disruptive botnet that Microsoft shut down in February 2010 quietly resurfacing under a different name didn't sit too well with Microsoft's digital crimes unit. "We wanted to take it out early enough so that number one, it wouldn't grow and propagate ... but also to make the point that when a threat is down, it's going to stay down," Boscovich said. "I think we made that point pretty effectively in this particular operation."

All but one of the Internet domains that Microsoft took offline are anonymously registered in the Bahamas, but one domain cz.cc is owned by Dominique Piatti who runs a domain name business called Dotfree Group out of the Czech Republic.

"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovich said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."

Microsoft got the order from the U.S. District Court for the Eastern District of Virginia, Alexandria Division, telling top-level domain registrar Verisign to take down the domains, on Sept. 22, but it was sealed until Monday, when Piatti was served with a court summons in the case by Microsoft lawyers in the Czech Republic. The site take down occurred just after midnight, Pacific Time, Monday.

Malicious sites on the cz.cc domain had previously been used to trick Macintosh users into thinking they needed to buy a bogus security program, called MacDefender.

Security experts say that many of these subdomain hosting companies, which typically offer free domain-name registration, have opened up a lawless frontier on the Internet where nearly anything goes. "There's a huge amount of abuse going on on those subdomains," said Roel Schouwenberg, a researcher with security vendor Kaspersky Lab. "The bad guys select whichever domain is cheapest and most reliable," he added. "Some of these domain owners are extremely slow in responding to abuse issues."

Scammers had used a series of ingenious tricks to game Google's image search feature and spread the Mac Defender malware using bulk subdomains, said Sean Sullivan, a security adviser with F-Secure. Sullivan's company automatically blocks the ce.ms, cu.cc, cw.cm, cx.cc, rr.nu, vv.cc, and cz.cc domains with its security software, he added.

In June, Google blocked a number of bulk subdomain sites from its search index, saying that many of them had been used by criminals. "In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," Google wrote in a blog post announcing the decision.

Reached Tuesday, Piatti was unable to comment for this story. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said in an email.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com