Related Links

Top 5 Stories


Microsoft names the man behind the Kelihos botnet

24 January 2012

Last September, Microsoft and Kaspersky Labs took down the Kelihos botnet. While Kaspersky now has control of the botnet, in a court filing in Virginia, Microsoft yesterday named Andrey Sabelnikov as the owner and operator of Kelihos.

Kelihos, now controlled by Kaspersky Labs, comprised some 41,000 infected computers worldwide and was capable of generating 3.8 million spam e-mails every day. But taking down, or taking over, a botnet is only half the problem. The infected computers remain infected and could be reactivated from new command servers. And if the originator/owner remains at large, he or she could simply build a new botnet.

Cleansing infected computers is largely the responsibility of the users. While it is theoretically possible for law enforcement to get involved (just as the Dutch police used a botnet’s command servers to send warnings to its infected members, and the UK’s SOCA notified Virgin Media about suspected SpyEye-infected customers), this is either legally questionable or logistically difficult.

The real solution is to ‘take-down’ the botnet’s originators. Back in September Microsoft alleged that Dominique Piatti and the dotFREE Group SRO were involved with Kelihos. “On Oct. 26, we successfully settled with defendants Dominique Alexander Piatti and dotFREE Group, allowing us to dismiss the case against them,” announced Microsoft yesterday. “Today,” it continues, “thanks to their cooperation and new evidence, we have named a new defendant to the civil lawsuit we believe to be the operator of the Kelihos botnet.”

That defendant, named in yesterday’s court filing, is Andrey Sabelnikov – from whom “Microsoft seeks injunctive and other equitable relief and damages... as the operator of a controlled network of computers, known as the “Kelihos” botnet...” Sabelnikov once worked for the Russian anti-virus company Agnitum.

The evidence, according to Brian Krebs, is that he was discovered when an unnamed security researcher with access to the Kelihos source code noticed that it contained debug code that downloaded a Kelihos installer from – a photography site registered to Sabelnikov’s name.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×