Microsoft suspects ex-antivirus worker of Kelihos botnet creation

News 24 Jan, 2012

A Russian IT pro is accused of helping create and run the Kelihos botnet.

Microsoft has continued its assault on the Kelihos botnet, naming a former IT security professional as the controller of the malicious network.

An amended complaint US District Court for the Eastern District of Virginia, Microsoft alleged that Russian Andrey Sabelnikov was running the botnet.

In the complaint, Microsoft said Sabelnikov was working on a freelance basis for a software development and consulting firm, and had previously been a project manager at an anti-virus provider.

Thousands of computers are still infected with its malware.

The Kelihos botnet was shut down last year, but Microsoft has continued to hunt for the perpetrators and have them prosecuted.

Microsoft had previously accused Dominique Piatti, a Czech man running the dotFREE domain hosting company, claiming his business was registering subdomains used to operate Kelihos.

However, Microsoft came to the conclusion dotFREE was simply being used by Kelihos's controllers and came to an agreement with Piatti.

Cooperation with Piatti led to this week's fresh allegations against Sabelnikov.

"In today’s complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, in a blog post.

"Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware."

Microsoft also claimed Sabelnikov registered more than 3,700 'cz.cc' subdomains from dotFREE and misused them to operate and control the Kelihos botnet.

"Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware," Boscovich warned. "This case is certainly not over."

Head here for information on how to remove Kelihos from machines.

One major issue hindering botnet fighters is the lack of regulation on the subdomain provider industry. Providers are not required to know who their customers are, meaning cyber criminals can take advantage and host malicious activities on their servers.

Read on for IT Pro's report on the war on botnets.