Earlier this week, Microsoft’s Digital Crimes Unit, made the findings of its Kelihos botnet investigation public, accusing Andrey Sabelnikov, a Russian engineer from St Petersburg, of having created the bot code and conducted the operation.
In the original complaint filed with the U.S. District Court for the Eastern District of Virginia in September, Microsoft alleged that Dominique Alexander Piatti and John Does, who owned a cz.cc domain, used it to register subdomains operating the Kelihos botnet. The charges against the original defendants were dismissed one month later in exchange for their cooperation, which led to identifying the creator of the malware.
Besides writing the bot code, Sabelnikov is accused of using 21 .com domains and at least 3,723 subdomains under the cz.cc domain, registered through Verisign in Virginia, to infect more than 40,000 computers with malware that caused them to send 3.8 billion spam emails per day.
The most common way the malware was distributed was through messages to Hotmail accounts indicating to the recipients that a loved one had sent them an e-card. The email pointed to one of the Botnet Domains. When recipients opened the link, their computer was infected, becoming part of the Botnet and subsequently used to spam and infect other computers, steal personal data, and initiate DDoS attacks.
Kelihos was first discovered in late 2009. Experts sometimes call it “Waledac 2.0” given its ties to another botnet taken down by Microsoft earlier.
What attracted the most attention was the fact that from 2005 until the end of 2011 Andrey Sabelnikov was a senior level engineer at two St Petersburg Internet security companies, Agnitum, a developer of Windows antivirus product called OutPost Antivirus Pro as well as a personal firewall for Windows PCs and Retunil, another security software distributor. Sabelnikov currently works for Teknavo, providing Internet security consulting to financial organizations.
Microsoft was able to take down the botnet with the assistance of Internet security companies Kyrus Inc. and Kaspersky Labs. Tillmann Werner, an expert with Kaspersky Labs, wrote in the company’s blog last October that the Kelihos bot is now under control by Kaspersky, but the infection cannot be completely stopped due to legal limitations in several countries.
Update Jan. 27, 2012
In a post on Live Journal, Andrey Sabelnikov denied any involvement in the affair.