Microsoft says Russian anti-virus developer behind Kelihos botnet

Kelihos Botnet

Microsoft has accused a Russian former anti-virus software developer of creating the Kelihos botnet, which sent out 3.8 billion spam messages every day in its prime.

Andrey Sabelnikov, who currently lives in St. Petersburg, Russia, was once a “software engineer and project manager at a company that provided firewall, antivirus and security software,” according to Microsoft’s amendment (PDF) to its original complaint with the U.S. district court in Virginia. Sabelnikov currently works for a software development and consulting firm as a freelancer. Microsoft alleges that software associated with the control of Kelihos identifies Sabelnikov as creator, operator, and controller of the botnet.

“Microsoft is informed and believes and thereupon alleges that Defendant wrote and/or participated in creating the harmful computer software that constitutes the Kelihos botnet,” Microsoft wrote in the amended complaint. “Defendant has used the software to control, operate, maintain and grow the Kelihos botnet, by among other things, infecting innocent users’ computers.”

Microsoft took down the Kelihos botnet in September, which had around 41,000 computers under its control. The discovery and eventual removal was done as a part of MARS (Microsoft Active Response for Security) program, created with its cyber crime unit to protect the internet as a whole. At the time, Microsoft was proud to name defendants, Alexander Piatti and 22 “John Does,” charged with owning “cz.cc” domains used to infiltrate to-be drone computers.

Sabelnikov allegedly purchased 3,723 of these “cz.cc” subdomains from Piatti and used them to operate Kelihos.

Computers affected by Kelihos in VA

Above: Kelihos-controlled computers in Virginia

Though Kelihos is actually a botnet on the smaller side, Microsoft is pursuing the case to show domain owners there needs to be more responsibility for who is sold subdomains. The company uses the example of pawn shops in a blog post. Pawn shop owners require a name, address and other identifying pieces of information from those who wish to pawn an item. That way if something goes wrong or if the item is found to be stolen, the seller can be contacted. Domain owners, however, are not held to similar standard and are looser in who can use their subdomains.

“Currently no requirements necessitating domain hosts to know anything about the people using their subdomains,” said Richard Domingues Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, “Making it easy for domain owners to look the other way.”

hat tip The Verge