By Jim Finkle
SAN FRANCISCO (Reuters) - A computer security firm said it had freed tens of thousands of infected PCs from a "botnet" that forced enslaved machines to send out spam pharmaceutical ads during a cyber crime-fighting demonstration to top industry executives on Tuesday.
Tillmann Werner, a senior research scientist with a startup known as CrowdStrike, attacked the Kelihos botnet on stage in a rare live demonstration of techniques used to attack cyber crime operations.
He manipulated the messaging system used to control machines enslaved in the botnet, a term used in the security world to describe groups of infected computers that are enslaved in large networks by "herders" who use the machines for tasks including sending spam and attacking corporate networks.
He instructed machines to stop communicating with the servers that had enslaved them and start checking in with a new "command and control" server that he set up to protect the PCs.
For good measure he provided a "black list" of servers controlled by the Kelihos gang, which essentially blocks those computers from ever visiting those sites.
As infected machines visited his command and control server, red dots showed up on a map on a video screen at the front of a conference room at the RSA security conference in San Francisco, winning Werner a round of applause for a rare victory in the fight against cyber crime.
A few hours later, he said that tens of thousands of infected machines had checked into the server of CrowdStrike, which this week unveiled products to help businesses fight sophisticated cyber attacks.
Werner has been using his keyboard to fight cyber crime for nearly 10 years.
"It's a passion," he said. "I'm interested in botnets that are technically challenging."
That passion has kept him persevering in his battle with botnet "herders," or the criminals who control infected machines, despite constant setbacks.
He previously worked with parties including Microsoft Corp and Kaspersky Lab on other efforts to shut down Kelihos and a related botnet known as Waledac, only to see them quickly re-emerge.
"It's an industry," he said. "There is some gang pulling the strings."
(Editing by Jeremy Laurence)