Microsoft’s Digital Crimes Unit has shut down a botnet that was investigated for hosting the MacDefender scareware that preyed on Mac OS X users.
The botnet, known as Kelihos or “Waledac 2.0,” has been linked to spam messages, ID-theft attacks, pump-and-dump stock scams and websites promoting the sexual exploitation of children, according to Microsoft senior attorney Richard Domingues Boscovich.
The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.
For the first time since Microsoft’s anti-cybercrime team started disabling botnets, the company moved to the U.S. court system and identified a defendant that allegedly owned the domain that controlled the botnet.
In the complaint [PDF], Microsoft names Dominique Alexander Piatti alongside dotFREE Group SRO and John Does 1-22 and said they owned domains and subdomains that were used to operate and control the Kelihos botnet.
“Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities,” Boscovich said.
In addition to hosting the Kelihos botnet, Microsoft said its investigations revealed that the defendants’ cz.cc domain was previously linked to sub-domains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system.
In May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem. (See this public gripe from Piatti about the blocked domains).
Boscovich said the botnet was also used to promote potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.
[T]his case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.
Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.
Piatti, who is based in the Czech Republic, has been served notice of the lawsuit. Microsoft said it is in discussions with Piatti to determine which of his sub-domains were being used for legitimate business, so that those customers could be reconnected.
