Bug in Microsoft RDP allows hackers perform WannaCry level attack


A critical remote execution vulnerability in Microsoft remote desktop services enables let attackers compromise the vulnerable system with WannaCry level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old version of Windows.

A WannaCry attack was one of the notorious cyber attacks in this decade, and it shut down million of computer around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create a malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out of support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.

Legitimate Apps That Could Be Exploited To Bypass The Windows Defender: Microsoft’s List



Microsoft recently, published a conspicuous list of application that are legitimate and yet could be exploited by hackers to bypass the Windows defender.


These hackers try to slide into the organizations’ networks and infect them via bypassing the security imparted by the defender.

The hackers usually make use of off-the-land attack tactics where they use the victim’s operating system features or authentic network administration tools to compromise the networks.

The major motive of this project was to comprehend the binaries that were being misused by the attacker.

·       LOLBins- Living Off The Land Binaries
·       LOLScripts- Living Off The Land Scripts
·       LOLLibs- Living Off The Land Libraries
·       GTFOBins- Unix Platform Binaries

The only point of fusing the legitimate app is to stay undetected in order to bypass the security measures of the network.

The LOTL tools are just a way to be as stealthy as possible as be as malignant as possible without even being easily caught.

The following applications are in the list that Microsoft published and recommend to do away with if not in use:
·       addinprocess.exe
·       addinprocess32.exe
·       addinutil.exe
·       bash.exe
·       bginfo.exe[1]
·       cdb.exe
·       csi.exe
·       dbghost.exe
·       dbgsvc.exe
·       dnx.exe
·       fsi.exe
·       fsiAnyCpu.exe
·       kd.exe
·       ntkd.exe
·       lxssmanager.dll
·       msbuild.exe[2]
·       mshta.exe
·       ntsd.exe
·       rcsi.exe
·       system.management.automation.dll
·       windbg.exe
·       wmic.exe

Along with the published list Microsoft has also highly recommended the users to download latest security updates.

In addition it has also provided the “deny file rules” for all apps.

Lateral movement and defense evasion happen to be the mostly used ways to exploit the authentic applications.


Unprotected database exposes data of 80 million US households




Security researchers have uncovered a security breach that exposes the data of more than half of United States households. 

Experts working with a firm named vpnMentor, that expertises in analyzing virtual private network services, discovered a database containing details of about 80 million American households. 

The database was hosted on a Microsoft cloud server, that includes some sensitive information like names, addresses, locations, gender, age, income, home type and marital status, among other data. 

However, social security numbers and credit card details were not enlisted there. 

Researchers Ran Locar and Noam Rotem said it's unclear who owns the 24-gigabyte database.  

'Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to,' the researchers said. 

'It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.'  

Meanwhile, the database is still available online, and is not protected by password. 

'This isn’t the first time a huge database has been breached,' the researchers explained. 

'However, we believe that it is the first time a breach of this size has included peoples' names, addresses, and income. 

'This open database is a goldmine for identity thieves and other attackers,' they added.  







Microsoft’s email services hacked




Microsoft has confirmed a data breach by unknown hackers who might have been successful in accessing a ‘’limited’’ number of Microsoft customer’s Email.

According to the company, hackers breached the Microsoft network between January 1 and March 28 and compromised the Microsoft support agent’s credentials.

Microsoft sent an email notification to all their customer via stating, “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments”

The company has confirmed the incident to TechCrunch that account of users of services like @msn.com and @hotmail.com had been compromised in the recent breach, but the exact number of victims is not known. 

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

Microsoft is urging all its affected users to change their passwords immediately. 





99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.








US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

Phishing Attacks on Microsoft and Outlook; By Way of Microsoft’s Azure Blob Storage




Two major phishing campaigns have been discovered by the researchers which uses Microsoft’s Azure blob to steal details from Outlook and Microsoft accounts.


Both the campaigns employ real-looking landing pages which make use of SSL certificates and the windows.net domain to seem authentic.

The first phishing email goes around asking the receivers to log into their office 365 account to update the information.

The emails happened to have “Action Required: (email address) information is outdated-Re-validate now!!” in their subject boxes.

The moment a user clicks on the link provided in the mail, they will be directed to a landing page which fake-acts as the organization’s Outlook Web App.

This landing page is what does the main task of stealing the credentials from the user.

The second one works on stealing users’ Microsoft account details and credentials.

The process to lure in the user starts from Facebook’s workplace service and ends up taking the user to a Microsoft’s landing page.

This could either be s single-sign-on approach or a mixed up campaign for luring victims in.

The Microsoft account the users are brought to, is fairly legit looking as it uses the same form and the same background for that matter.

Both the landing pages make use of Azure Blog Storage to make them look convincing and as far as possible, legitimate.

All Microsoft Azure does is that is adds legitimacy to the landing pages used by the phishing-cons to target the Microsoft services.

The Azure Blob storage URLs use the windows.net domain making the landings look fairly legitimate.

One of the phishing links which is not in use anymore had the URL-  https://1drive6e1lj8tcmteh5m.z6.web.core.windows.net/ and the domain name seemed to do the trick.

Also, every URL on Azure Blob Storage happens to be using a wildcard SSL certificate from Microsoft, making every landing page get a “lock symbol”.

This would exhibit a Microsoft certificate every time a user would try to click on the certificate to check who signed, making the entire sham all the more believable.

To steer clear of such phishing attack one thing need to be kept in mind that the original login forms from Outlook and Microsoft could indubitably have outlook.com, live.com, and Microsoft.com as their domain names.


Amazon, Microsoft calls for Regulation on Face Recognition




Amazon is batting in favor of regulating and legislating the use of facial recognition technology and has written a  long, detailed blog post detailing its stand on the issue.

In the blog post written by the Vice-President of Global Public Policy at Amazon Web Services (AWS),  Michael Punke, the company revealed its "proposed guidelines" for the use of the technology by the companies, so that it cannot be used to discriminate. 

Punke wrote that the company “supports the creation of a national legislative framework covering facial recognition through video and photographic monitoring on public or commercial premises.”

Amazon has faced criticism after tests by civil rights groups and ACLU found out that Amazon's face Rekognition functions are less accurate for black people. In January, two researchers reported an Amazon Web  Services that determine the gender of the people in photos is also less accurate in the case of black women. 

However, Amazon refuted the claims of the studies saying that the Rekognition was “not used properly"  by the researchers.
Amazon wants legislation “that protects individual civil rights and ensures that governments are transparent in their use of facial recognition technology,” Punke wrote. 
The blog post is seen as the move to counter the facial recognition backlash.

Microsoft Advises Its Users to Stop Using Its Legacy Internet Explorer Web Browser


Microsoft's cyber security expert Chris Jackson advises users to quit utilizing the 'legacy' internet browser, which Microsoft formally ended in 2015 encouraging them to move to a much more 'modern browser' that is fully informed regarding current web guidelines as well as standards.

In a blog entry post the 'Perils of using Internet Explorer as your Default Browser ' Jackson clarified with explanation with several reasons as to why the users should switch.

“Internet Explorer is a compatibility solution, we're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers.”


'...As new apps are coming out with greater frequency, what we want to help you do is avoid having to miss out on a progressively larger portion of the web,' he adds later.

While he includes further that it's commonly fine for users to utilize Internet Explorer in an undertaking situation, yet they would secure themselves better on the off chance if they change to a more up to date browser.



Artificial Intelligence Is What’s Protecting Your Microsoft, Google And Similar Accounts





Artificially intelligent systems are quite on the run these days. The new generation believes a lot in the security system which evolves with the hackers’ trickery.

Microsoft, Google, Amazon, and numerous other organizations keep the faith in artificially intelligent security systems.

Technology based on rules and designed to avert only certain and particular kinds of attacks has gotten pretty old school.

There is a raging need for a system which comprehends previous behavior of hacking or any sort of cyber attacks and acts accordingly.

According to researchers, the dynamic nature of machines, especially AI makes it super flexible and all the more efficient in terms of handling security issues.

The automatic and constant retaining process certainly gives AI an edge over all the other forms.

But, de facto, hackers are quite adaptable too. They also usually work on the mechanical tendencies of the AI.

The basic way they go around is corrupting the algorithms and invading the company’s data which is usually the cloud space.

Amazon’s Chief Information Security Officer mentioned that via the aforementioned technology seriously aids in identifying threats at an early stage, hence reducing the severity and instantly restoring systems.

He also cited that despite the absolute aversion of intrusions being impossible, the company’s working hard towards making hacking a difficult job.

Initially, the older systems used to block entry in case they found anything suspicious happening or in case of someone logging in from an unprecedented location.

But, due to the very bluntness of the security system, real and actual users get to bear the inconvenience.

Approximately, 3% of the times, Microsoft had gotten false positives in case of fake logins, which in a great deal because the company has over billions of logins.

Microsoft, hence, mostly calculates and analyzes the technology through the data of other companies using it too.
The results borne are astonishing. The false positive rate has gotten down to 0.001%.

Ram Shankar Siva Kumar, who’s Microsoft’s “Data Cowboy”, is the guy behind training all these algorithms. He handles a 18-engineer team and works the development of the speed of the system.

The systems work efficiently with systems of other companies who use Microsoft’s cloud provisions and services.

The major reason behind, why there is an increasing need to employ AI is that the number of logins is increasing by the day and it’s practically impossible for humans to write algorithms for such vast data.

There is a lot of work involved in keeping the customers and users safe at all times. Google is up and about checking for breachers, even post log in.

Google keeps an eye on several different aspects of a user’s behavior throughout the session because an illegitimate user would act suspiciously for sure, some time or the other.

Microsoft and Amazon in addition to using the aforementioned services are also providing them to the customers.

Amazon has GuardDuty and Macie which it employs to look for sensitive data of the customer especially on Netflix etc. These services also sometimes monitor the employees’ working.

Machine learning security could not always be counted on, especially when there isn’t enough data to train them. Besides, there is always a worry-some feeling about their being exploited.

Mimicking users’ activity to degrade algorithms is something that could easily fool such a technique. Next in line could be tampering with the data for ulterior purposes.

With such technologies in use it gets imperative for organizations to keep their algorithms and formulae a never-ending mystery.

The silver lining though, is that such threats have more of an existence on paper than in reality. But with increasingly active technological innovation, this scenario could change at any time.




Microsoft, Netflix and PayPal Emerge As the Top Targets for Phishing Attacks



Email security provider Vade Secure released another phishing report following the 25 most 'spoofed' brands in North America that are imitated in phishing attacks. Amongst them the top three are Microsoft, Netflix and PayPal.

Out of all the 86 brands that were tracked, 96% of them all were done so by the company as per their Q3 2018 report.

Bank of America and Wells Fargo are not so far behind Microsoft and the other top 2 targets in this case as there has been an increase in these phishing attacks by approximately 20.4% as reported by Vade Secure. As the attackers attempt to access Office 365, One Drive, and Azure credentials their focus has been towards cloud based services as well as financial companies.



Vade Secure's report states - "The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, One Drive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization."

The attackers, through a feeling of urgency endeavor to show that the recipient's account has been suspended or so thus inciting them to login in order to determine the issue, this happens in the case of Office 365 phishing emails. By doing this though they expect for the victims to be less wary when entering their credentials.

Exceptionally compelling is that attackers have a tendency to pursue a pattern with respect to what days they send the most volume of phishing mails. As per the report, most business related attacks tend to happen amid the week with Tuesday and Thursday being the most popular days. For Netflix though, the most focused on days are Sunday because that is the time when users' are taking a backseat and indulge in some quality television.

As these attacks become more targeted Vade Secure’s report further states – "What should be more concerning to security professionals is that phishing attacks are becoming more targeted. When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools."

For the users' however , it is advised to dependably examine a site before entering any login details and if there are any occurrences of the URL seeming abnormal or even something as minor as a language blunders then they should report the issue directly to either the administrator or the company itself.



Shares Of The Microsoft Corp. Closed At A Record High; Expanding Its Secure Score Service


Microsoft in its Ignite Conference in Orlando, revealed that it was applying its Authenticator application across Azure to get rid of login passwords and growing the Secure Score benefits and services over its cloud to give users feedback options to prevent any breaches.

As the shares of the Microsoft Corp. closed at a record high the tech giant has now taken into consideration the expansion on its profile as a secure cloud vendor on Monday, utilizing its yearly IT conference to make public a few security activities and initiatives intended to target few enterprises to its Azure public cloud platform and far from rivals such as Amazon.com Inc.  and Alphabet Inc.

As far back as the announcement by Chief Executive Satya Nadella in November 2015 is concerned it was decided that Microsoft would invest $1 billion a year in the security research and development, the stock's price has indeed billowed about 116%, making it the best performing tech stock on the Dow over that period, with Apple Inc. AAPL, - 0.45% up 91% and Cisco Systems Inc. CSCO, +0.33% up 81%.

While Amazon.com Inc. AMZN, +0.41% are as yet the predominant public cloud player by far with the Amazon Web Services, Microsoft's Azure has relentlessly been wearing down AWS as one of the fastest-growing public cloud providers. In its last earnings increase.

Microsoft shares finishes 0.4% at $114.67, a record close for a third session in succession, while the Dow Jones Industrial Average DJIA, - 0.68% declined 0.7%, the S&P 500 index SPX, - 0.35% slipped 0.4%, and the tech-heavy Nasdaq Composite Index COMP, +0.08% completed under 0.1%.

These announcements though come about a week after Microsoft launched a shot targeting the opponents in another region, exhibiting an AI variant of its Dynamics 365 customer relationship management

Address Bar Spoofing Attacks by Safari Browser





Security researcher Rafay Baloch as of late discovered vulnerability in the Safari browser that purportedly enabled the attackers to take control of the content shown on the address bar. The method enables the 'bad actor' to perform phishing attacks that are extremely troublesome for the user to recognize. The program bug is said to be a race condition which is enabling the JavaScript to change the address bar before even the website pages are loaded completely.

In order to exploit the vulnerability, with tracking id CVE-2018-8383 the attackers were required to trap the victims onto a specially designed site which could be accomplished quite easily and Apple, despite the fact that Baloch had instantly informed both Apple and Microsoft about the bug, deferred this fix even after its three-month grace period prior to public exposure lapsed seven days back.
While Microsoft reacted with the fix on Edge on August 14th as a major aspect of their one of the security updates. The deferral by Apple is what may have left the Safari browser defenseless thusly enabling the attackers to impersonate any site as the victim sees the legit domain name in the address bar with complete confirmation and authentication marks.

At the point when the bug was tested with Proof-Of-Concept (P.O.C) Code, the page could stack content from Gmail while it was hosted on sh3ifu.com and worked perfectly fine in spite of the fact that there are a few components that continued loading even as the page loaded completely, demonstrating that it is an inadequate  and incomplete procedure.

The main trouble on Safari though, Baloch clarified, is that user can't type in the fields while the page is as yet loading, nevertheless he and his group overcame this issue by including a fake keyboard on the screen, something that banking Trojans did for years for improving the situation and are still discovering new and inventive approaches to dispose of the issue at the earliest opportunity.


Microsoft Shuts down Websites in Association with the Russian Military Intelligence Service GRU


On the twentieth of August, Microsoft made public that it effectively terminated 6 websites in affiliation with the Russian Military Intelligence Service GRU.

The hacker group that has come to light is the well-known Fancy Bear also referred to here, as APT28 which likewise has been formerly connected to cyber-espionage campaigns directed towards various governments around the globe, including to the hack of the Democratic National Committee before the 2016 US Presidential Election.

The gathering last targeted the conservative think tanks namely the Hudson Institute and the International Republican Institute, three which were intended to mirror the U.S. Senate sites and one of the fake ones even ridiculed Microsoft's online products.

Microsoft's Digital Crimes Unit (DCU) effectively executed a court order to transfer the control of six internet domains made by the group. The six domains are:

my-iri.org
hudsonorg-my-sharepoint.com
senate.group
adfs-senate.services
adfs-senate.email
office365-onedrive.com

Microsoft’s president and chief legal officer Brad Smith wrote, “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit.”

What's more, in spite of last week's steps, Microsoft is anxious by the continuous activity that is focusing on these and other sites that are for the most part centered towards elected officials, politicians, political groups and additionally think tanks over the political range in the United States.

Since Russian cyber-attacks directed towards the elections are recurring and likely to expand , Microsoft is intending to protract the Microsoft's Defending Democracy Program with yet another initiative called the Microsoft AccountGuard , which will provide the best in class cyber security protection at no additional cost to all the candidates and campaign workplaces at the federal, state and local level as well as think tanks and political organizations that are presently thought to be under attack.


NHS to migrate to Windows 10 to upgrade cybersecurity defences

Microsoft on Saturday announced that The UK Department of Health and Social Care will transition all National Health Service (NHS) computer systems to Windows 10 to better protect against future cyber attacks. 

The Department has made a security deal with Microsoft regarding the same.

According to officials, the operating system’s more advanced security features are the primary reason for the transition, such as the SmartScreen technology equipped with Microsoft Edge and Windows Defender.

One of the other reasons for upgrading their security systems was the damages caused by the WannaCry ransomware attack last year, when NHS was one of the first victims.

“More than a third of trusts in the UK were disrupted by the WannaCry ransomware attack last year, according to the National Audit Office, which led to the cancellation of 6,900 appointments. WannaCry was an international attack on an unprecedented scale that affected organisations across the globe. While it did not specifically target the NHS, the impact on health organisations was significant,” read the announcement by Microsoft.

According to Kaspersky and Microsoft telemetry, over 98 percent of all WannaCry victims were Windows 7 users.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat,” said Jeremy Hunt, the Health and Social Care Secretary. “This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”



Edge Browser, Son of the Internet Explorer wants to fulfill father's dying wish



With Microsoft edge not getting popular among users, and rivals doing far better, Micrososft has come up with the update which tricks user to use Microsoft edge as the Default browser .

If you have Windows 10 operating system , then Edge is the default browser and If you try to make other browser as default it would prompt you to give Edge a try and would suggest all the positive features like the ability to annotate web pages using a stylus, in-built Cortana integration and the distraction-free Reading Mode.

It gives various prompts like "Give Microsoft Edge a shot", "Before you switch defaults, see what you can do in an app built just for Windows 10" , "Don't switch and try it now" and keeps it the default browser for the operating system.

Microsoft is using same trick for its photo and music applications too. If you try to switch in the settings panel a similar dialogue box appears and convinces you to use Microsoft's own Photos and Groove Music applications.

Microsoft launched several campaigns like Windows 10 campaign - a 100 pound cash incentive - to convince users to upgrade and its providing free operating system upgrade for windows 7, 8 and 8.1 to windows 10 .

The Redmond technology firm is even quietly installing the operating system onto your machine so it's ready whenever you decide to upgrade.

The promotion has helped drive uptake of Windows 10 and as a result, the new OS has been installed on a staggering 110 million devices within the last 11 weeks.

Microsoft destroys Botnets by taking down the Domain Providers

Microsoft got the order from the U.S. District Court for the Eastern District of Virginia, Alexandria Division, telling top-level domain registrar Verisign to take down the domains, on Sept. 22, but it was sealed until Monday, when Piatti was served with a court summons in the case by Microsoft lawyers in the Czech Republic. The site take down occurred just after midnight, Pacific Time, Monday.

 Microsoft destroys Botnet by taking down the Domain Providers.Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

"These were domains either directly or though subdomains, that were actually being utilized to point computers to command and control websites for the Kelihos botnet," said Richard Boscovich, an attorney with Microsoft's digital crimes unit.

With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day -- junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals.

The idea of a highly disruptive botnet that Microsoft shut down in February 2010 quietly resurfacing under a different name didn't sit too well with Microsoft's digital crimes unit. "We wanted to take it out early enough so that number one, it wouldn't grow and propagate ... but also to make the point that when a threat is down, it's going to stay down," Boscovich said. "I think we made that point pretty effectively in this particular operation."

All but one of the Internet domains that Microsoft took offline are anonymously registered in the Bahamas, but one domain cz.cc is owned by Dominique Piatti who runs a domain name business called Dotfree Group out of the Czech Republic.

"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovich said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."


Malicious sites on the cz.cc domain had previously been used to trick Macintosh users into thinking they needed to buy a bogus security program, called MacDefender.

Security experts say that many of these subdomain hosting companies, which typically offer free domain-name registration, have opened up a lawless frontier on the Internet where nearly anything goes. "There's a huge amount of abuse going on on those subdomains," said Roel Schouwenberg, a researcher with security vendor Kaspersky Lab. "The bad guys select whichever domain is cheapest and most reliable," he added. "Some of these domain owners are extremely slow in responding to abuse issues."

Scammers had used a series of ingenious tricks to game Google's image search feature and spread the Mac Defender malware using bulk subdomains, said Sean Sullivan, a security adviser with F-Secure. Sullivan's company automatically blocks the ce.ms, cu.cc, cw.cm, cx.cc, rr.nu, vv.cc, and cz.cc domains with its security software, he added.

In June, Google blocked a number of bulk subdomain sites from its search index, saying that many of them had been used by criminals. "In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," Google wrote in a blog post announcing the decision.
Reached Tuesday, Piatti was unable to comment for this story. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said in an email.