Microsoft kills botnet that hosted MacDefender scareware

Microsoft kills botnet that hosted MacDefender scareware

Summary: The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

SHARE:
TOPICS: Microsoft
51

Microsoft's Digital Crimes Unit has shut down a botnet that was investigated for hosting the MacDefender scareware that preyed on Mac OS X users.

The botnet, known as Kelihos or “Waledac 2.0," has been linked to spam messages, ID-theft attacks, pump-and-dump stock scams and websites promoting the sexual exploitation of children, according to Microsoft senior attorney Richard Domingues Boscovich.

The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

For the first time since Microsoft's anti-cybercrime team started disabling botnets, the company moved to the U.S. court system and identified a defendant that allegedly owned the domain that controlled the botnet.

In the complaint [PDF], Microsoft names Dominique Alexander Piatti alongside dotFREE Group SRO and John Does 1-22 and said they owned domains and subdomains that were used to operate and control the Kelihos botnet.

"Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities," Boscovich said.

follow Ryan Naraine on twitter

In addition to hosting the Kelihos botnet, Microsoft said its investigations revealed that the defendants’ cz.cc domain was previously linked to sub-domains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system.

In May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem.  (See this public gripe from Piatti about the blocked domains).

Boscovich said the botnet was also used to promote potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.

[T]his case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Piatti, who is based in the Czech Republic, has been served notice of the lawsuit.  Microsoft said it is in discussions with Piatti to determine which of his sub-domains were being used for legitimate business, so that those customers could be reconnected.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion
  • Thanks to Microsoft, OS X users are now safer

    A little gratitude is in order.
    toddybottom
    • RE: Microsoft kills botnet that hosted MacDefender scareware

      For what?
      ScorpioBlue
    • RE: Microsoft kills botnet that hosted MacDefender scareware

      @toddybottom

      Microsoft created the petri dish that bred this stuff. Naturally, they should help clean it up.
      tomogden
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @tomogden Microsoft doesn't create or spread malware. Where did you get that from?
        jhammackHTH
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @tomogden : Get a life. Blame everything on anyone but Apple. B lame it either on dumb Apple users or Apple for horse sh?t security.
        Gisabun
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @jhammackHTH<br>Without Microsoft's existence, there would be no botnets.

        Get a clue.
        ScorpioBlue
    • I think so

      @toddybottom
      Yes, they are responsible for the security flaws that allow botnets to be created in the first place, but I'm glad that MS has become proactive about shutting them down, nevertheless.
      John L. Ries
      • Wrong.

        @ John L. Ries

        Social engineering, not security flaws, is the primary way machines are compromised. Microsoft probably have the most effective countermeasures to protect users from social engineering attacks as well.
        WilErz
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @John L. Ries : Huh? Mcrosoft is responsible for botnets? Next you'll say they are responsible for pwer failures and high taxes. at least Microsoft shut down the botnet. What did Apple do? Oh ya. Told people to buy crapware cleaner at the "app store" [and Aopple gets 30% off the top!].
        Gisabun
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @John L. Ries Most internet providers used a form of Unix long before MS. Let's set the facts straight if we're going to start pointing fingers.
        RobertMoore12
    • RE: Microsoft kills botnet that hosted MacDefender scareware

      @toddybottom - Why, because Microsoft closed one of their satellite offices?
      The Danger is Microsoft
      • RE: Microsoft kills botnet that hosted MacDefender scareware

        @The Danger is Microsoft : THis coming from an anti-Microsoft fan boi.
        Gisabun
  • RE: Microsoft kills botnet that hosted MacDefender scareware

    See, good things can happen when Microsoft and Apple work together.
    LoverockDavidson_-24231404894599612871915491754222
    • A little one-sided don't you think?

      @LoverockDavidson_

      What did Apple do except deny that any problem existed?
      Joe_Raby
    • RE: Microsoft kills botnet that hosted MacDefender scareware

      @LoverockDavidson_ : But they didn't. Microsoft did the work. Apple sat on their hands.
      Gisabun
  • RE: Microsoft kills botnet that hosted MacDefender scareware

    This is good news. Very good news. It looks like we are finally beginning to get the proper tools to fight these botnets.
    CobraA1
  • The botnet contained about 41,000 computers worldwide

    so around 40 999 Windows computers...
    theo_durcan
    • RE: Microsoft kills botnet that hosted MacDefender scareware

      @theo_durcan

      Really Really? Stupid freaking Troll!!!!!
      Viper589
      • Not realy

        @Knix96
        It was an attempt at humour based somewhat on fact, and to a large extent was a fair one as the majoirty of infected computers are windows one's.
        jdbukis
      • calm down monkey boy

        @Knix96
        your master should learn you to stay cool...
        theo_durcan