Microsoft Names Developer, Operator of Kelihos Botnet

The Microsoft Digital Crimes Unit has identified one of the perpetrators behind the Kelihos botnet, which was neutralized last September. Additional information has surfaced identifying the suspect as the former employee of a Russian security software development company.

The defendant, Andrey N. Sabelnikov, coded the malware that was used to infect thousands of computers and used the malware to control, operate and expand the Kelihos botnet, Microsoft alleged in an amended complaint filed with the U.S. District Court for the Eastern District of Virginia.

The additional evidence that led the company to Sabelnikov was provided by some of the defendants named in the original complaint back in September, Richard Domingues Boscovich, senior attorney for the Microsoft Digital Crimes Unit, wrote in the Official Microsoft Blog on Jan. 23. Microsoft settled with two defendants, Dominique Alendader Piatti and dotFREE Group, in October.

Sabelnikov also allegedly registered 3,723 "cz.cc" subdomains from Piatti and from dotFREE Group and misused those subdomains to operate and control the botnet's spam-sending activities, according to Boscovich. Microsoft did not provide any other information about Sabelnikov in its blog post beyond the fact that he is a citizen of Russia.

A public LinkedIn profile of Andrey Sabelnikov currently living in Russia showed that between 2005 and 2008 he was a senior developer and product manager at Agnitum, a Russian security firm well-known for its firewall software, wrote Graham Cluley, a senior technology consultant at Sophos, on the Naked Security blog. Agnitum develops and sells OutPost Antivirus Pro, a Windows antivirus product and a personal firewall for Windows PCs.

"There is no suggestion that Agnitum [is] connected with the allegations, or that their security software—which includes anti-virus products—are compromised in any way," Cluley wrote.

It appears Sabelnikov also worked for Retunil, another Russian security software company. Retunil's Virtual System Pro creates clones of Windows systems as virtual machines.

Takedown operations have had "limited effects" on botnets, according to Gunter Ollmann, vice president of research at Damballa. "It is clear that the operators themselves have to be targeted and removed from the equation for a botnet takedown to be successful," Ollmann said.

Microsoft worked with Kaspersky Lab and other companies to gather the evidence and information behind Kelihos, which led to the Department of Justice raids in September to shut down the command and control servers. However, since thousands of computers are still infected with the malware, the case "is not over," according to Boscovich. There always remains the possibility that the botnet could be resurrected as long as these machines remain online.

Even if law enforcement authorities manage to "locate, arrest and throw the criminal operators into a cell with no Internet access," the victims are still vulnerable to other operators who could potentially usurp control of those victims, Ollmann said.

Kelihos was considered to be a small botnet, with about 41,000 infected computer under its control, but had been responsible for nearly 4 billion spam messages per day, including stock scams, adult content, illegal pharmaceuticals and malware. Damballa observed and confirmed that about 10,000 victims in North America alone and about a quarter of the victim machines are still infected, according to Ollmann.

Microsoft remains "committed" to taking the data gathered from these takedown operations to "help better arm" security companies in protecting customers from the threat, Boscovich wrote. Microsoft discussed at the International Conference on Cyber-Security at Fordham University Jan. 11 its plans to distribute threat data obtained from captured botnets and other sources to foreign governments, law enforcement, Computer Emergency Response Teams and private corporations.

Partners could use the real-time feeds to look for malware infections that often are part of botnet activity, or correlate host data with information on various Internet scams, such as click fraud. The data harvested from the Kelihos botnet, for example, included IP addresses of infected systems, Autonomous System numbers as assigned by regional Internet registries and reputation data provided by Microsoft's Smart Data Network services.

"Our objective is to effectively put information and tools into the hands of those that can help protect innocent computer users," Boscovich wrote.