But a new legal argument gave Microsoft the standing to again seize an entire domain to shut Kelihos down, Boscovich says. The argument goes that if the domain owner, as part of its agreement with registrants, requires that they not carry on illegal activities, by extension that contract applies to Microsoft because it can benefit or be harmed depending on how the registrant behaves.
In that scenario Microsoft becomes a third-party contractual beneficiary, he says, giving it standing to seek legal action for malicious activity the registrant might engage in. "It's a creative way to obtain remedies that we wanted," Boscovich says.
In the case of Kelihos, Microsoft took offline an entire domain consisting of several hundred thousand subdomains, leaving the company to negotiate an agreeable settlement with the owner of the domain, Dominique Alexander Piatti, on which to bring back up.
Kelihos wasn't as massive as Rustock, but Microsoft decided to go after it because its code seemed linked to Waledac's. "Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused," according to a Microsoft Malware Protection Center blog from January 2011.
Microsoft says it didn't want criminals to think that Microsoft would let them rebuild their networks by simply tinkering with their old code.
In March of this year, Microsoft, Financial Services - Information Sharing and Analysis Center (FS-ISAC) and NACHA (the electronic payments association) teamed up to get court permission to seize servers associated with the worst instances of the password-stealing Zeus botnet. They seized two IP addresses and secured 800 domains that they monitored to identify the bots under Zeus control.
They also named two people as defendants in a civil case involving Zeus, one of the rare times they have been able to track illegal activities to specific persons.
Earlier this month Microsoft went after Nitol, a serendipity that arose from a Microsoft investigation into pirated software being loaded onto brand-new computers in China and sold as legitimate Windows machines. One of the computers came not only with a pirated operating system, but it was also infected with Nitol, which enlists computers into botnets that can be used for a variety of illegal activities. It also enables downloading further malware.