Last month, I wrote about how Microsoft and our partners, Kyrus and Kaspersky, took down the Kelihos botnet and that for the first time, Microsoft took the step of naming specific defendants in a civil case involving a botnet. In the legal case supporting the Kelihos takedown, Microsoft sued defendants Dominique Alexander Piatti, dotFree Group S.R.O. and John Does 1 through 22 associated with the IP addresses and Internet domains alleged to be involved in the command and control structure for the Kelihos botnet.

Today, I’m pleased to say that Microsoft has reached a settlement with defendants Dominique Alexander Piatti and his company, dotFREE Group SRO, and will be dismissing the lawsuit against them pursuant to the agreement. However, the case for the remaining John Does remains open, as Microsoft continues our investigation to hold those responsible for the Kelihos botnet.

Since the Kelihos takedown, we have been in talks with Mr. Piatti and dotFREE Group s.r.o. and, after reviewing the evidence voluntarily provided by Mr. Piatti, we believe that neither he nor his business were involved in controlling the subdomains used to host the Kelihos botnet. Rather, the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti’s cz.cc domain.

As part of the settlement, Mr. Piatti has agreed to delete or transfer all the subdomains used to either operate the Kelihos botnet, or used for other illegitimate purposes, to Microsoft. Additionally, Mr. Piatti and dotFREE Group have agreed to work with us to create and implement best practices to prevent abuse of free subdomains and, ultimately, apply these same best practices to establish a secure free Top Level Domain as they expand their business going forward. Mr. Piatti and dotFree Group will continue to work with Microsoft to become a role model for the free domain industry, establishing industry best practices in the subdomain space.

We’re very pleased by the outcome for several reasons. First, this settlement allows us to move forward with our investigation to uncover the other people behind the botnet, listed in our court documents as John Does 1-22. Second, by gaining control of the subdomains, we are afforded an inside look at the Kelihos botnet, giving us the opportunity to learn which unique IP addresses are infected with the botnet’s malware.

If anyone believes their computer may be infected with Kelihos malware, please visit http://support.microsoft.com for free information and tools to help get rid of this and other malware. People should also exercise caution when surfing the Web, clicking on ads or opening e-mail attachments that may prove to be malicious. More information about staying safe online can be found at http://www.microsoft.com/protect and on the DCU Newsroom.

This case and this operation are ongoing, and we will continue to share new information as we move forward. To follow this and Microsoft’s ongoing work to combat digital crime, follow the Digital Crimes Unit on Facebook and Twitter.

Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit