Microsoft identifies suspected Kelihos botnet author

Software giant accuses a St. Petersburg, Russia, resident of writing malware to control and nurture the botnet, which infected 41,000 computers worldwide.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
2 min read

Four months after taking down the Kelihos botnet, Microsoft today identified the man it believes was behind the massive infection designed to deliver spam and steal data.

In an amended complaint (PDF) filed today with the U.S. District Court for the Eastern District of Virginia, the software giant accused Andrey N. Sabelnikov, a resident of St. Petersburg, Russia, of writing the code for and participating in the creation of the Kelihos malware. The complaint further alleges that Sabelnikov used the malware to control and nurture the Kelihos botnet.

Kelihos comprised about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam e-mails per day before Microsoft put a stop to it last September, according to Microsoft.

Sabelnikov, who currently freelances for a software development and consulting firm, previously "worked as a software engineer and project manager at a company that provided firewall, antivirus and security software," Microsoft said in its complaint. He was identified with the help of a previous defendant in the case, Microsoft said.

The lawsuit, which was originally filed in September, accused Czech resident Dominique Alexander Piatti, Dotfree Group SRO, and John Does 1-22 of using malware to infect victim computers to send unregulated pharmaceutical and other spam, harvest e-mails and passwords, conduct fraudulent stock scams and, in some cases, promote sites dealing with sexual exploitation of children.

Microsoft settled with Piatti and his company, who agreed to delete or transfer to Microsoft all the subdomains that were used to operate the botnet or for other illegitimate purposes. Microsoft credited Piatti's cooperation in the case as leading to Sabelnikov and evidence against him.

"Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos' operators accountable fo their actions," Richard Domingues Boscovich, senior attorney for Microsoft's digital crimes unit, wrote in a blog post. "We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity."

Boscovich said that even though the botnet is inactive, thousands of computers are still infected with its malware.