Malware, Network Security

Microsoft names Russian man in Kelihos botnet suit

Microsoft filed a lawsuit on Monday against the person it now believes is the mastermind behind a massive botnet dismantled last year.

In an amended complaint, filed in the U.S. District Court in Alexandria, Va., the software giant contends that Russian citizen Andrey Sabelnikov is responsible for operating the Kelihos botnet, a former 41,000-node network of zombie computers that was once capable of sending 3.8 billion spam emails per day.

Microsoft initially pursued legal action against Dominique Piatti and his domain name company, dotFREE Group SRO. But after reviewing evidence, Microsoft determined that neither Piatti or his business were responsible for controlling the subdomains that were used to host Kelihos. In exchange for dismissing the complaint, Piatti agreed to "delete or transfer" any subdomains that were connected to Kelihos.

Piatti also cooperated, and new evidence emerged, which led to the accusations against Sabelnikov, according to Microsoft. In its 21-page complaint, the company alleges Sabelnikov authored the code that was used in the Kelihos malware. In addition, he used the malware to control, operate and expand the botnet, Microsoft alleges.

Microsoft asked the court for damages and an injunction against Sabelnikov.

The 31-year-old formerly worked at St. Petersburg, Russia-based anti-virus firm, Agnitum, from 2005 to 2008, Vitaliy Yanko, director of sales and marketing at Agnitum, told SCMagazine.com Tuesday in an email.

Afterward, he held jobs at other software firms, according to reports.

The reports cited Sabelnikov's public LinkedIn profile, which no longer contains any job experience information -- only his college: Saint Petersburg State University of Aerospace and Instrumentation.

"Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos' operators accountable for their actions," Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit, wrote in a blog post. "We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity."

Microsoft said that despite disrupting Kelihos by gaining approval to cut off its command-and-control infrastructure, thousands of machines across the world remain infected.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.