Microsoft Adds Kelihos Botnet Operator To Civil Complaint

2012-01-24T17:32:11
ID THREATPOST:8F63BB7E78F9D8984287B7EB2BD998A0
Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:32:56

Description

A Russian man was added to the list of defendants in a civil complaint filed by Microsoft at the operators of the Kelihos botnet.

In an amended complaint filed in U.S. District Court on Monday, the company said that Andrey Sabelnikov controlled Kelihos using 21 Internet domains bought from a Czech-based firm run by Alexander Piatti. Piatti was originally named as a defendant, but cooperated with Microsoft.

The civil complaint follows the coordinated take down of Kelihos in September. Microsoft initially targeted those responsible for the domains used by Kelihos. Now the company said that its investigation showed that some of the defendants’ sub domains may have been legitimate, but that many were being used for questionable purposes with links to disreputable online activities. After working with its first round of defendants, Microsoft says it has evidence that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware.

Microsoft alleges that Mr. Sabelnikov registered more than 3,700 “cz.cc” sub domains from Mr. Piatti and dotFREE Group SRO, and misused those sub domains to operate and control the Kelihos botnet, according to a blog post by Microsoft’s Digital Crime Unit (DCU).

Little is known about Sabelnikov, though a LinkedIn page purportedly belonging to him lists him as a 2003 graduate of the Saint Petersburg State University of Aerospace and Instrumentation with a Master’s degree in Computer Science. The Web site Krebs on Security says that Sabelnikov may have also worked for St. Petersburg anti virus vendor Agnitum in the past.

Representatives from the Redmond, Washington software maker recently told an audience at the International Conference on Cyber Security (ICCS) in New York that it was testing a new service to distribute threat data from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.