Microsoft: No Resurrection For Dead Botnets

On September 27, Microsoft announced it had taken down a "relatively small" botnet known as Kelihos. The botnet, which consisted of 41,000 compromised computers, allowed its operators to send spam, steal financial information and level denial-of-service attacks against target networks.

Yet, the genesis of the operation stretches back to the beginning of the year, when Microsoft researchers found links between Kelihos and the former Waledac botnet, the target of the software giant's first takedown efforts. Kelihos used a similar command-and-control structure to Waledac, and some code so resembled the previous botnet that researchers had started calling it Waledac 2.0.

The relationship, even if tenuous, convinced Microsoft to act. The company decided it was worth the effort to make sure that a botnet it had shut down, remained down, says Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

"As far as we are concerned, when we take something down, we want to keep it down," says Boscovich. "And anybody -- be it the original authors of the Waledac code or maybe someone else that is repurposing or reusing remnants of that code -- we want to make sure it's clear that if we turn something off, it stays off."

The company, along with security firms such as Kaspersky, began investigating the botnet. Taking it down would not be easy.

Kelihos, also referred to as Hlux by Kaspersky, consisted of a three-layer architecture. At the low end were the compromised machines -- the workers -- responsible for sending out spam and executing denial-of-service attacks. The workers were bots that were most expendable. Above the workers sat the routers, a peer-to-peer connected group of computers that acted as proxies to relay commands and hide the location of the command-and-control servers, which made up the top layer.

Cutting off the domains, as Microsoft did with Waledac, would result in the botnet reverting to a backup communications protocol, a peer-to-peer network. Kaspersky did much of the work to reverse engineer how that peer-to-peer communication worked, says Roel Schouwenberg, a senior researcher with Kaspersky Lab.

"Based on that information, we created the necessary tools to sinkhole the botnet," he says. On September 22, Microsoft filed a temporary restraining order in many ways similar to the company's attack on the Waledac botnet, with one exception: The company was naming names. In its complaint, the company pointed to a resident of the Czech Republic, Dominique Alexander Piatti and his company DotFree Group s.r.o. as responsible for the botnet, or at the very least, negligent in their management of their servers.

The software giant gained a court order requesting that VeriSign to shut down the domains used by the botnet's command-and-control servers, while at the same time, security firm Kaspersky created sinkholes servers to interrupt the peer-to-peer communications between the bots and the firm's sinkhole server. At the same time, a European representative of Microsoft and the company's attorney in the Czech Republic approached Piatti as he stopped for breakfast on his morning commute.

"The conversation was primarily focused on making sure that, if there were some legitimate subdomains, to verify them," Microsoft's Boscovich says. "He was receptive to our conversation, and he agreed later on that morning to go back to our Czech counsel's office to discuss the case."

Meanwhile, the Kelihos botnet is not dead, merely held in limbo. Kaspersky's researchers effectively have control over the 41,000 bots and could conceivably tell each infected machine to uninstall the software. However, that is still illegal in many jurisdiction across the globe and not a step the company is yet willing to take.

"As an industry we're still new at taking down botnets," says Kaspersky's Schouwenberg. "Especially the legal challenges are big, though we shouldn't forget about the ethical side either. What we need are international agreements on botnet takedowns and cleanups."