Microsoft's botnet take-down helps protect Mac users
Side effect of Kelihos botnet disruption kills domains used to spread MacDefender scareware
Computerworld - Mac users can thank Microsoft for taking down a small but dangerous botnet.
On Monday, at the request of Microsoft, a Virginia federal judge ordered VeriSign to shut down nearly two dozen domains linked to servers that controlled the Kelihos botnet.
One of those domains -- cz.cc -- had hosted machines that distributed waves of fake Mac antivirus software for weeks last spring, according to Microsoft and several security companies.
The fake programs, called "scareware" or "rogueware," began hitting users in early May and continued for nearly two months. Like similar -- and much more prevalent -- software aimed at Windows PCs, the Mac scareware falsely claimed that the computer was heavily infected. Once installed, phony antivirus software nags users with pop-ups and fake alerts until they fork over a fee to purchase the worthless program.
Microsoft noted that the cz.cc domain had "previously been investigated for hosting subdomains responsible for delivering MacDefender," the most-used name of the Mac scareware.
A pair of security companies that analyzed MacDefender in May and June confirmed Microsoft's contention today.
Among the subdomains serving up MacDefender, said both French-based Intego and U.K.-headquartered Sophos, were ones under the cz.cc domain that VeriSign shuttered.
"The sites that were leading you to MacDefender were diverse and most often compromised .com sites," said Chet Wisniewski, a Sophos security researcher, talking about how users were redirected from hacked sites to those actually pushing scareware to Macs. "I can't confirm that MacDefender was exclusively distributed through cz.cc, but anecdotally I can say it was a high percentage."
But both Wisniewski and Peter James, a spokesman for Intego, said that Microsoft's take-down was, in fact, largely moot.
"MacDefender started disappearing after the arrest of Pavel Vrublevsky in June," said Wisniewski, referring to the man who was charged with hacking into a rival of ChronoPay, a Russian company that allegedly processed credit card payments for scareware spreaders.
Vrublevsky's arrest had followed an operation in the U.S. and several other countries where authorities busted cyber gangs responsible for distributing massive amounts of scareware to Windows PCs.
Operation Trident Tribunal had targeted criminals who purportedly infected nearly a million PCs with scareware, and raked in $72 million in revenues from the scam.
"[MacDefender] seems to have faded away," agreed James of Intego. "I think a combination of the amount of press it got, and some arrests of people behind fake antivirus, stopped it or made it go dormant."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts