Fresh off the success of decapitating the Rustock botnet, Microsoft today announced the takedown of another botnet known as Kelihos, which controlled 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day. While not as massive as Rustock, Microsoft said the operation is noteworthy because it marks the first time Microsoft has produced a named defendant in a botnet civil case. Microsoft is also updating its Malicious Software Removal Tool to clean up malware distributed by the botnet.

“Kelihos infected Internet users’ computers with malicious software which allowed the botnet to surreptitiously control a person’s computer and use it for a variety of illegal activities, including sending out billions of spam messages, harvesting users’ personal information (such as e-mails and passwords), fraudulent stock scams and, in some instances, websites promoting the sexual exploitation of children,” Microsoft Digital Crimes Unit senior attorney Richard Domingues Boscovich writes. “Similar to Rustock, some of the spam messages also promoted potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and [the] Windows operating system to carry out these illegal activities.”

A complaint Microsoft filed in a Virginia federal court lists the defendants as Dominique Alexander Piatti, registrant of the Internet domain “cz.cc” that Microsoft says was used to operate the Kelihos botnet, and a Czech domain name business called dotFREE Group SRO, which Microsoft said was operated at least in part by Piatti. The suit lists 22 more defendants only as “John Does” because their names are unknown.

Last week, Microsoft filed for a restraining order allowing it to sever known connections between the Kelihos botnet and the zombie computers it controlled. The request was granted and the severing was executed yesterday as part of what Microsoft is calling Operation b79. Microsoft's civil suit seeks unspecified monetary damages and injunctions preventing the defendants from continuing the illegal activity.

The cz.cc domain was previously investigated for hosting subdomains that delivered MacDefender scareware, and was temporarily blocked from Google search results in May because it was hosting malware, Boscovich says. The Kelihos botnet itself is also called “Waledec 2.0” because of its suspected ties to Waledac, a botnet Microsoft dismantled last year and which shared code with Kelihos.

According to Microsoft’s complaint, Piatti used his top-level cz.cc domain to register sub-domains that were used in the Kelihos botnet.

“Under US law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime,” Microsoft said. “Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.”

The botnet operation carried the risk of taking down legitimate websites, with Microsoft saying it has begun “discussions with Mr. Piatti to determine which of his subdomains were being used for legitimate business, so we could get those customers back online as soon as possible. We are also beginning our efforts to notify the other John Doe defendants in this case, and will be actively continuing our investigation to find out more about the people behind this botnet.”

Because of the relatively small size of Kelihos, Microsoft said the takedown will not have the same impact on Internet safety as the takedowns of Rustock and Waledac. “We took this action before the botnet had an opportunity to grow further and because we believe accountability is important,” Boscovich writes.