Antivirus employee named in botnet case

Microsoft has accused a former employee of a Russian antivirus firm of being responsible for operating the Kelihos botnet.

Microsoft has accused a former employee of a Russian antivirus firm of being responsible for operating the Kelihos botnet.

Andrey Sabelnikov's public profile on a photography site.
(Screenshot by Michael Lee/ZDNet Australia)

Kelihos was shut down in September last year, after Microsoft filed a restraining order to cut off the botnet's command-and-control centre from infected computers. At the time, it began legal proceedings against Dominique Alexander Piatti and his company, Dotfree Group, for their involvement in operating the botnet. They shortly thereafter settled with Microsoft.

Their cooperation, combined with new evidence that Microsoft has acquired, has lead the software giant to believe that a Russian citizen, Andrey Sabelnikov, was also responsible for operating the botnet.

Although Microsoft remained silent on Sabelnikov's background, security blogger Brian Krebs discovered through various social-networking sites that Sabelnikov had been a senior system developer and project manager for Russian antivirus firm Agnitum, and, more recently, at a financial services software-development company, Teknavo.

Information on Sabelnikov's career has now been removed from the majority of the social-networking sites that he had signed up to.

Microsoft is accusing Sabelnikov of writing the code behind Kelihos, and claimed that he either created or helped create the malware. It is also accusing Sabelnikov of operating the botnet. Microsoft alleges that Sabelnikov bought over 3700 domains from Piatti and Dotfree in order to operate and control the botnet.

According to Krebs, Sabelnikov's own personal domain,, was used to host a Kelihos malware installer, further implicating Sabelnikov. Microsoft did not confirm this claim in its blog post.

The allegations represent another step in Microsoft's fight against Kelihos' operators, and the company said it would be using the information to help others defend against future botnets.

"We continue to explore ways to make the information learned from our takedowns more readily available to others who can take action to address infections in a more systematic and automated manner. Our objective is to effectively put information and tools into the hands of those that can help protect innocent computer users," wrote Microsoft's digital crimes unit senior attorney, Richard Domingues Boscovich.

"This case is certainly not over."