Microsoft amended its original civil lawsuit against the perpetrators of the Kelihos botnet to add a Russian security professional as the developer of the Kelihos malware.
Microsoft Digital Crimes Unit has identified one of the perpetrators behind the
Kelihos botnet, which was neutralized last September. Additional information
has surfaced identifying the suspect as the former employee of a Russian
security software development company.
defendant, Andrey N. Sabelnikov, coded the malware that was used to infect
thousands of computers and used the malware to control, operate and expand the
Kelihos botnet, Microsoft alleged in an amended complaint filed with the U.S.
District Court for the Eastern District of Virginia.
additional evidence that led the company to Sabelnikov was provided by some of
the defendants named in the original complaint back in September, Richard
Domingues Boscovich, senior attorney for the Microsoft Digital Crimes Unit,
wrote in the Official
on Jan. 23. Microsoft settled with two defendants,
Dominique Alendader Piatti and dotFREE Group, in October.
also allegedly registered 3,723 "cz.cc" subdomains from Piatti and
from dotFREE Group and misused those subdomains to operate and control the
botnet's spam-sending activities, according to Boscovich. Microsoft did not
provide any other information about Sabelnikov in its blog post beyond the fact
that he is a citizen of Russia.
public LinkedIn profile of Andrey Sabelnikov currently living in Russia showed
that between 2005 and 2008 he was a senior developer and product manager at
Agnitum, a Russian security firm well-known for its firewall software, wrote
Graham Cluley, a senior technology consultant at Sophos, on the Naked
blog. Agnitum develops and sells OutPost Antivirus Pro, a Windows
antivirus product and a personal firewall for Windows PCs.
is no suggestion that Agnitum [is] connected with the allegations, or that
their security software-which includes anti-virus products-are compromised in
any way," Cluley wrote.
appears Sabelnikov also worked for Retunil, another Russian security software
company. Retunil's Virtual System Pro creates clones of Windows systems as
operations have had "limited effects" on botnets, according to Gunter
Ollmann, vice president of research at Damballa. "It is clear that the
operators themselves have to be targeted and removed from the equation for a
botnet takedown to be successful," Ollmann said.
worked with Kaspersky Lab and other companies to gather the evidence and
information behind Kelihos, which led to the Department of Justice raids in
September to shut
down the command and control servers
. However, since thousands of computers
are still infected with the malware, the case "is not over,"
according to Boscovich. There always remains the possibility that the botnet
could be resurrected as long as these machines remain online.
if law enforcement authorities manage to "locate, arrest and throw the
criminal operators into a cell with no Internet access," the victims are
still vulnerable to other operators who could potentially usurp control of
those victims, Ollmann said.
was considered to be a small botnet, with about 41,000 infected computer under
its control, but had been responsible for nearly 4 billion spam messages per day,
including stock scams, adult content, illegal pharmaceuticals and malware.
Damballa observed and confirmed that about 10,000 victims in North America
alone and about a quarter of the victim machines are still infected, according
remains "committed" to taking the data gathered from these takedown
operations to "help better arm" security companies in protecting
customers from the threat, Boscovich wrote. Microsoft discussed at the International
Conference on Cyber-Security at Fordham University Jan. 11 its plans to distribute
obtained from captured botnets and other sources to foreign
governments, law enforcement, Computer Emergency Response Teams and private
could use the real-time feeds to look for malware infections that often are
part of botnet activity, or correlate host data with information on various
Internet scams, such as click fraud. The data harvested from the Kelihos
botnet, for example, included IP addresses of infected systems, Autonomous
System numbers as assigned by regional Internet registries and reputation data
provided by Microsoft's Smart Data Network services.
objective is to effectively put information and tools into the hands of those
that can help protect innocent computer users," Boscovich wrote.