Microsoft clears Czech firm in Kelihos botnet case

Dismisses lawsuit against hosting firm accused of harboring command servers for spam-spewing botnet

Microsoft yesterday dismissed a lawsuit against a Czech firm it had accused of hosting command-and-control servers for a botnet it stamped out last month.

"Microsoft has reached a settlement with defendants Dominique Alexander Piatti and his company, dotFREE Group SRO, and will be dismissing the lawsuit against them," said Richard Boscovich, a senior attorney with the company's digital crimes unit, in a Wednesday blog.

Piatti and his company, dotFREE, were among two-dozen defendants named in a lawsuit Microsoft filed in U.S. federal court last month as part of a takedown of the Kelihos botnet, a collection of some 45,000 compromised computers.

To shutter the botnet, Microsoft used a court order to seize control of 21 domains where hackers had stashed the Kelihos command-and-control (C&C) servers, including the domain owned by Piatti, the CEO of Prague-based dotFREE.

Yesterday, Boscovich absolved Piatti of responsibility.

"After reviewing the evidence ... we believe that neither he nor his business were involved in controlling the subdomains used to host the Kelihos botnet," said Boscovich. "Rather, the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti's domain."

As part of the settlement Microsoft struck with Piatti -- who never contested the Redmond, Wash. company's legal maneuvers -- Piatti agreed to delete or transfer to Microsoft the subdomains that housed Kelihos C&C servers.

Additionally, Piatti agreed to work with Microsoft on ways to prevent future abuse of dotFREE's free subdomains.

Piatti seemed happy to have Microsoft's help.

"Being free and popular, [] also became a target for abuse and some people started using its subdomains for illegitimate purposes," Piatti today said in an email reply to questions. "We've been working with several antivirus and security companies to help us identify and delete those abusive domains [but] this requires constant efforts, and we're spending most of our time and resources on the security aspects of business."

As Piatti implied, the domain had been fingered earlier for malicious activities, among them hosting systems that distributed MacDefender, a fake Mac antivirus program that plagued users for several weeks last spring.

But even though Piatti acknowledged issues with his domain, he said the Microsoft lawsuit still "took us a bit by surprise."

With Piatti behind them, Microsoft will focus its efforts on identifying the 22 John Does it named in the September lawsuit, who it says are the actual controllers of Kelihos.

Microsoft has won court approval to spend the next 90 days querying other Internet service providers (ISPs) about the identities of the John Doe defendants, according to documents filed Tuesday in a Virginia federal court.

Boscovich also hinted that Microsoft will try to pinpoint the PCs infected with the Kelihos botnet Trojan. "By gaining control of the subdomains, we are afforded an inside look at the Kelihos botnet, giving us the opportunity to learn which unique IP addresses are infected with the botnet's malware," he said.

Microsoft has used the U.S. court system several times in the last two years to take down botnets, including Rustock last March and Waledac in February 2010.

Many security experts have linked Kelihos with Waledac -- the two infectious Trojans shared code, they said -- and the former was likely an attempt to recruit a new army of hacked PCs after the latter's 2010 shuttering.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon