January 24, 2012

In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year.

Andrey Sabelnikov

In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as responsible for the operations of the botnet. Microsoft’s amended complaint (PDF) filed with the U.S. District Court for the Eastern District of Virginia states that Sabelnikov worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.

Microsoft doesn’t specify where Sabelnikov worked, but according to Sabelnikov’s LinkedIn page, from 2005 to 2007 he was a senior system developer and project manager for Agnitum, a Russian antivirus firm based in St. Petersburg. One of the company’s most popular products is Outpost, a free firewall program. Sabelnikov’s profile says he most recently worked for a firm called Teknavo, which makes software for companies in the financial services sector.

A source close to the investigation told Krebs On Security that Sabelnikov’s alleged role was discovered after a security researcher obtained a copy of the source code to Kelihos. The researcher noticed that the source contained debug code that downloaded a Kelihos malware installer from the domain sabelnikov.net, a photography site registered to Sabelnikov’s name. That site currently links to Sabelnikov’s profile page at Russian social networking site Vkontakte.ru, which includes the same pictures found in the LinkedIn profile mentioned above.

Microsoft doesn’t mention the source code discovery in its amended complaint, but it does reference the availability of new evidence in naming Sabelnikov. The company said it also had cooperation from the original defendants in the case — Dominique Alexander Piatti and the dotFREE Group, which owned the domains allegedly used to control the botnet.

Update, Jan. 27 9:38 a.m. ET: Sabelnikov on Thursday posted a response on his blog denying Microsoft’s allegations, saying he had never participated in the management of botnets and any other similar programs. Sabelnikov also stated that he has just returned from a business trip to the United States earlier this month. Interestingly, he says he arrived in the U.S. on Jan. 21, and stayed for two days — meaning he left either the same day or a day after Microsoft filed its brief with the court.

Also on Thursday, I published a follow-up investigation which suggests that Kelihos and its predecessor Waledac were almost certainly the work of a well-known spammer named Peter Severa.

22 thoughts on “Microsoft: Worm Operator Worked at Antivirus Firm

  1. Aleksey

    As unfortunate as it is, I’m not surprised. Running a large spam-spewing botnet is a very lucrative crime – it pays off extremely well and monetization is very easy. At the same time getting caught is quite unlikely in the current legal environment. One has to have certain amount of ethics to not go after all this easy cash having the technical skills necessary to pull it off. This kind of ethics is not very widespread in a place like Russia today.

    1. Artem

      Alexey, you right. On post-USSR space such crimes are widespread, not only on Russia space but on Ukraine or Kazakhstan too. And this is really a matter of ethics, but it don’t take seriously in this region.

  2. David Chasey

    I’m waiting for a different kind of computer that is run by hardware, not software, and thus isn’t vulnerable to these eternal software threats.
    Brian, maybe you can do a retake on how to run the computer using a CD that blocks all of these vulnerabilities, as you did when working at the Washington Post.

    1. bob

      Why would a hardware computer not be vulnerable to software threats? It’s all just bits in a line.

      Or did you mean that a hardware computer wouldn’t have any bugs because it’s not software? I suggest a basic computing course at your local education centre. Total time will equate to a couple of days as opposed to the eternity you will wait for your different kind of computer.

      Regards the CD, a simple search of this site will give you the info you need. However, it won’t block all vulnerabilities, it’ll just stop attacks effecting your system when you remove the CD. It might also stop attacks persisting when you switch your machine off.

  3. baltassoc

    How is the lede here not “Botnet operator worked at financial services industry offahore developer”?

  4. Biff

    We already have a computer that is run by hardware, not software. It’s called an abacus.

  5. Nick P

    Did anyone else notice the implications of this? The malware’s source code contained instructions to utilize a specific site with this guy’s actual name and other personal references in it. That’s either one of the dumbest mistakes in malware history or he’s being framed. It would be so easy to hack some AV engineer’s site, put malware on it, and make my sploits download from him to focus the authorities on him. Add to it that the two guys fingering him for this are under police pressure & crooks often try to use scapegoats to get out of jail sentences.

    So, to get an idea here, how many big botnet operators have used their own name, sites with PII, etc. in the operation of a botnet or its source code? Does this happen often? Very rarely? Is it a first?

    1. SeymourB

      The source was obtained by a security researcher, which doesn’t necessarily mean it was current source used by the released form of malware. It could have been from a development version where the author was downloading the file from his website for testing purposes rather than distributing the installer. Which was probably done for the released version (simply sniffing traffic from the test machine would have told them the IP of the site it downloaded from, possibly even the name if it did a DNS lookup first).

      It still could be a frame job, in that we don’t know if this source is legitimately a dev version of the malware or just a plant by the actual author to divert attention from himself.

    2. Iggy

      Well, writing the botnet could actually be a part of his job description. It’s long been suspected that some Russian antivirus companies were actualy the ones who created malware, so this could be the first proof of it. Besides, the thing is Russia doesn’t extradict its criminals, so they are getting bold and careless.

  6. Mr. White

    He’s breaking bad just like his twin brother Jesse Pinkman.

    1. KJ

      It was Walt that was “breaking bad”. Jesse was always a punk.

      1. Mr. White

        This is a ‘duh’ statement. He looks like Jesse Pinkman and not everyone knows who that might be without a reference.

        1. KJ

          By your own admittance your original comment was off topic, obscure and incorrect.

  7. xxxx

    real i know big botmaster he control top ten ww spam bot but now he working in security company same good boy safety verybody , it’s comodo

  8. dehaul

    So if there is a piece of code out there that download malware from a domain that you own, you obviously wrote the code.

    Am I missing something here?

    1. Matt

      There’s a little more meat in the amended complaint link provided in the article. It doesn’t have a lot of details, but the combination of domain registration and the debug code is pretty strong evidence.

      “Microsoft…alleges that Defendant wrote
      and/or participated in creating the harmful computer software that constitutes the Kelihos botnet
      and that Defendant has used the software to control…”

      “Microsoft… alleges that Defendant owns,
      operates, controls and maintains the Kelihos Botnet and does business under the names of the
      Harmful Botnet Domains.”

  9. passingby

    well, i suggest to consider 3 facts
    1) anyone can register any domain name and redirect to someone’s page, especially if main desire is to frame someone who makes your life harder, additional research regarding specified domain is required, since anything can be put in whois info, some proof required that there’s actual link between person and domain aside from it’s name;
    2) originating place of source code should be verified, because as was previously stated the source code could be leaked intentionally with framing pieces of code just without any proof that actualy bots acted in this way;
    3) source code of malware is treasure for anti malware specialists, especially if it includes polymoprh parts for improving heuristics algorythms and definitions and source could as someone stated it could be used by that person for legimate reasons (generating signatures, finding master servers, researching ways to disrupt botnet etc.);

    1. passingby

      but i’m sure that lack of details is because there’s evidence that just can not be disclosed yet due to investigation going on and mentioned code was just a starting point, looking forward for further materials

  10. abhishek

    hi i m student . i m doing a project on signature based antivirus can u suggest some feature that i can add in my project .

  11. dante

    He left of his own volition to pursue other opportunities due in large measure to the project he was working on being terminated,

Comments are closed.