Kelihos botnet and cz.cc takedown

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Kelihos botnet and cz.cc takedown

Postby Red Dwarf » Thu Sep 29, 2011 5:14 pm

Microsoft keeps up the botnet pressure

Hot on the heels of Rustock and Waledac

InfoWorld Home / Security / News / Microsoft kills off a botnet by striking a domain...
September 27, 2011
Microsoft kills off a botnet by striking a domain provider
Microsoft has taken the Kelihos botnet offline and shut down the cz.cc subdomains by asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

Kelihos? Though it doesn't appear to register among the biggies listed at M86 Security it is the principle that matters. This was seen as a successor to Waledac -

"With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day -- junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals."

Credit should also go to Kaspersky Lab for its role -
"Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure," said Tillmann Werner, a senior virus analyst with Kaspersky in Germany. "We worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system," he added.

[EDIT: SiL corrected the spelling of "Microsoft". ($5) :silthumb: ]
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Kelihos botnet and cz.cc takedown

Postby spamislame » Thu Sep 29, 2011 9:13 pm

This is further great news, and even better - though not mentioned due to the details being extremely dull for the average reader - Microsoft and law enforcement officers are nearly single-handedly setting all of the legal precedents for any company to undertake the same kind of court-ordered shutdowns in the future.

This year is a landmark year (finally) for some really solid, not-easily-reversible botnet shutdowns. I just hope it eventually leads to some charges, fines and jail time that all warrant a serious deterrent to anyone stupid enough to keep doing this crap.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Kelihos botnet and cz.cc takedown

Postby AlphaCentauri » Fri Sep 30, 2011 8:59 am

We've been saying all along that spam is financing the creation of the botnets that could be used for terrorist attacks. Maybe Anonymous' cybervandalism and overtly political pronouncements have finally got people thinking seriously about what a loose cannon all those compromised computers are.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Kelihos botnet and cz.cc takedown

Postby spamislame » Fri Sep 30, 2011 11:09 am

A story was posted about how this was achieved:

http://bit.ly/qykI7G

And that in turn has been Slashdotted:

http://it.slashdot.org/story/11/09/29/2 ... s-takedown

Interesting stuff.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Kelihos botnet and cz.cc takedown

Postby Red Dwarf » Fri Sep 30, 2011 2:19 pm

And from whois, the Czech Republic has been moved out of the Cocos Islands -

Domain Name: CZ.CC
Registrar: MONIKER ONLINE SERVICES, INC.
Name Server: NS1.CZ.CC
Name Server: NS2.CZ.CC
Status: SERVER-HOLD
Status: SERVER-XFER-PROHIBITED
Status: SERVER-UPDATE-PROHIBITED
Status: SERVER-DELETE-PROHIBITED

Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-UPDATE-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 26-sep-2011
Creation Date: 13-oct-1997

What next, Colombia perhaps?
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Kelihos botnet and cz.cc takedown

Postby spamislame » Fri Sep 30, 2011 9:47 pm

Or Panama. :)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Kelihos botnet and cz.cc takedown

Postby Red Dwarf » Thu Oct 27, 2011 7:12 pm

Further progress in the case. Microsoft gains the cz.cc domains
Ref: http://blogs.technet.com/b/microsoft_bl ... -case.aspx
Microsoft Reaches Settlement with Piatti, dotFREE Group in Kelihos Case
26 Oct 2011 9:00 AM
As part of the settlement, Mr. Piatti has agreed to delete or transfer all the subdomains used to either operate the Kelihos botnet, or used for other illegitimate purposes, to Microsoft. Additionally, Mr. Piatti and dotFREE Group have agreed to work with us to create and implement best practices to prevent abuse of free subdomains . . .
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 3 guests

cron