Filtered By: Scitech
SciTech

Microsoft wins over fake Mac antivirus botnet


Software giant Microsoft claimed this week to have stopped another botnet, one believed to be behind the propagation of fake antivirus software. Richard Domingues Boscovich, a senior lawyer at Microsoft's Digital Crimes Unit, said the Kelihos botnet was taken down via "Operation b79." "Kelihos, also known by some as 'Waledac 2.0' given its suspected ties to the first botnet Microsoft took down, is not as massive as the Rustock spambot. However, this takedown represents a significant advance in Microsoft’s fight against botnets nonetheless. This takedown will be the first time Microsoft has named a defendant in one of its civil cases involving a botnet and as of approximately 8:15 a.m. Central Europe time on Sept. 26th, the defendants were personally notified of the action," he said in a blog post. He added this operation, using legal and technical measures, built on the recent successes against the the Rustock and Waledac botnets. Boscovich added the Kelihos takedown is intended to send a strong message to those behind botnets that "it’s unwise for them to simply try to update their code and rebuild a botnet once we’ve dismantled it." Microsoft filed a complaint against Dominique Alexander Piatti, dotFREE Group SRO, and 22 others, for using their domain cz.cc to operate the botnet. It said Piatti and company registered other subdomains such as lewgdooi.cz.cc for the botnet as well. "Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities," Boscovich said. He said that in addition to hosting Kelihos, the cz.cc domain has previously been investigated for hosting subdomains responsible for delivering MacDefender, a scareware that infects Apple’s operating system Mac OS X. Microsoft also noted that in May 2011, Google had temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware. Google eventually reinstated the subdomains after the defendant allegedly corrected the problem. Boscovich said Kelihos infected Internet users’ computers with malicious software which allowed the botnet to surreptitiously control a person’s computer and use it for a variety of illegal activities. Such activities included sending out billions of spam messages, harvesting users’ personal information (such as e-mails and passwords), fraudulent stock scams and, in some instances, websites promoting the sexual exploitation of children. Microsoft said some of the spam messages also promoted potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities. Temporary restraining order Last Sept. 22, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Piatti, dotFREE Group SRO and the 22 John Does. "The court granted our request, allowing us to sever the known connections between the Kelihos botnet and the individual 'zombie computers' under its control," Microsoft said. Immediately following the takedown on Sept. 26th, Microsoft served Piatti, who was living and operating his business in the Czech Republic, and dotFREE Group SRO, with notice of the lawsuit. It then began discussions with Piatti to determine which of his subdomains were being used for legitimate business, so customers of the legitimate businesses can get back online soonest. "We are also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet," Boscovich said. Boscovich added naming defendants in this case marks a big step forward for Microsoft to aggressively protect its platform and customers against abuse. "Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers. Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight," he said. "By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime," he added. Operation b79 is Microsoft’s third Project MARS (Microsoft Active Response for Security) initiative. Project MARS is a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. "We learn important new information about the global botnet threat during every takedown, and we will continue to share threat intelligence gained in this effort with customers, partners and the global community to further disrupt cybercrime worldwide," Boscovich said. Subdomain issue Boscovich said this case also highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. "For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way," he said. "Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users," he added. Boscovich said the takedown of the Kelihos botnet represents an important element in Microsoft's botnet fighting efforts. He said Microsoft’s analysis of the Kelihos botnet showed large portions of Kelihos code were shared with Waledac, which suggested that Kelihos was either from the same parties or that the code was obtained, updated and reused. "Once we learned of the apparent relationship to Waledac, we immediately began developing a plan to take out Kelihos using similar technical measures," he said. Extent of Kelihos botnet While Kelihos was considered a relatively small botnet with some 41,000 computers worldwide infected, Kelihos was capable of sending 3.8 billion spam e-mails per day. "we took this action before the botnet had an opportunity to grow further and because we believe accountability is important," Boscovich said. Microsoft now plans to work with Internet Service Providers (ISPs) and Community Emergency Response Teams (CERTs) to repair the damage caused by Kelihos. It said its Malware Protection Center will add the Win/32 Kelihos family in a second release of the Malicious Software Removal Tool to help minimize the malware’s future impact. "And, as we have since the beginning of our botnet takedown initiative, we continue to provide free tools and information to help customers clean and regain control of their computers at http://support.microsoft.com/botnets," Boscovich said. Botnet shutdown may not stop Mac malware However, computer security firm Sophos said this may not necessarily mean the end of Mac malware. Sophos said it recently saw two new Trojans for OS X this week. These can join botnets and can be used to steal sensitive data, it said. "One was built to look like a PDF file and (one) pretended to be a Flash Player updater," it said in a blog post. — TJD, GMA News

LOADING CONTENT