Microsoft added another notch to its belt today following the demise of a 41,000-strong botnet. Called Kelihos or Waledac 2.0, the zombie network was capable of sending 3.8 billion spam emails per day. While it isn't the biggest fish Microsoft has fried, this marks the first time it has named a defendant in a botnet case. One alleged operator has been personally notified of the actions against him as of 8:15AM Central Europe time on Monday.
In its Virginia federal court filing, Microsoft alleges that Dominique Alexander Piatti of the Czech Republic used the free domain service dotFREE Group to operate and control Kelihos -- namely with "cz.cc" domains. In addition to hosting Kelihos, cz.cc domains have previously appeared on Redmond's radar for delivering the MacDefender scareware. In May, Google temporarily blocked cz.cc addresses from its search results for hosting malware.
The complaint also includes 22 more "John Doe" defendants, but their identities are unknown. Such is the case with Microsoft's previous endeavors. In July, the company offered a $250,000 bounty for information that would lead to the identification and conviction of the individuals behind Rustock, a mammoth botnet Microsoft killed in March. Rustock was responsible for 47.5% of global spam in late 2010, sending 44.1 billion emails daily.
Repeating the formula that has worked in past cases, Microsoft killed Kelihos by seizing the domains largely responsible for issuing instructions to the infected computers. On September 22, the company filed for an ex parte temporary restraining order against Piatti, dotFREE Group SRO and the John Does, allowing the company to sever the known connections between Kelihos and its enslaved machines. Some of the cz.cc domains were admittedly being used for legitimate businesses and Microsoft is working with Piatti to get those sites back online.
Analysis revealed that much of Kelihos' code was borrowed from Waledac, which infected about 90,000 systems at its peak and was disabled by Redmond last year. "The Kelihos takedown is intended to send a strong message to those behind botnets that it's unwise for them to simply try to update their code and rebuild a botnet once we've dismantled it. When Microsoft takes a botnet down, we intend to keep it down -- and we will continue to take action to protect our customers and platforms and hold botherders accountable for their actions," Microsoft said.