Microsoft took down the Waledac botnet in early 2010, but by the end of that same year, Waledac 2.0, which the company dubbed Kelihos, had started to show signs of life again, and as of January 2011 was spamming again in full force.It’s critical to note that Waledac 2.0 didn’t manage to grow to the size and impact of version 1.0, and now it never will, since Microsoft took it down leveraging the same similar legal and technical tactics that disabled Rustock and Waledac.
Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit, offered details about “Operation b79,” stressing the fact that the move marks a first for Microsoft, namely naming one defendant, and even notifying him in person.
“In the complaint, Microsoft alleges that Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet,” Boscovich said.
“Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities.”
Kelihos behaved just as any other botnet would. Attackers infected PCs and gained control over the machines, turning them into zombie computers, used to send spam, steam sensitive data and a number of additional illegal activities.
“Microsoft also alleges that Dominique Alexander Piatti, dotFREE Group SRO and the John Doe defendants committed some of the same violations made in the successful legal cases against the operators of the Waledac and Rustock botnets,” Boscovich added.
The software giant severed the connections between Kelihos and its zombie computers thanks to an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and the associated John Does.
Since some of Piatti’s subdomains were actually legitimate businesses, also impacted by the takedown, Microsoft is working to identify them and bring them back online.
The Redmond company considers Kelihos / Waledac 2.0 just a small botnet, which controlled just some 41,000 zombie computers and was only capable of sending out 3.8 billion spam e-mails per day.
However, because of its ties to Waledac 1.0, Microsoft made it priority to take Kelihos down. The software giant notes that Kelihos and Waledac shared large portions of code, which indicates either that the cybercriminals behind Waledac moved over to Kelihos, or that other attackers managed to get the original code and change it. Neither sits particularly well with Microsoft.
“The Kelihos takedown is intended to send a strong message to those behind botnets that it’s unwise for them to simply try to update their code and rebuild a botnet once we’ve dismantled it. When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold botherders accountable for their actions,” Boscovich warned.