Four months after taking down the Kelihos botnet, Microsoft today identified the man it believes was behind the massive infection designed to deliver spam and steal data.
In an amended complaint (PDF) filed today with the U.S. District Court for the Eastern District of Virginia, the software giant accused Andrey N. Sabelnikov, a resident of St. Petersburg, Russia, of writing the code for and participating in the creation of the Kelihos malware. The complaint further alleges that Sabelnikov used the malware to control and nurture the Kelihos botnet.
Kelihos comprised about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam e-mails per day before Microsoft put a stop to it last September, according to Microsoft.
Sabelnikov, who currently freelances for a software development and consulting firm, previously "worked as a software engineer and project manager at a company that provided firewall, antivirus and security software," Microsoft said in its complaint. He was identified with the help of a previous defendant in the case, Microsoft said.
The lawsuit, which was originally filed in September, accused Czech resident Dominique Alexander Piatti, Dotfree Group SRO, and John Does 1-22 of using malware to infect victim computers to send unregulated pharmaceutical and other spam, harvest e-mails and passwords, conduct fraudulent stock scams and, in some cases, promote sites dealing with sexual exploitation of children.
Microsoft settled with Piatti and his company, who agreed to delete or transfer to Microsoft all the subdomains that were used to operate the botnet or for other illegitimate purposes. Microsoft credited Piatti's cooperation in the case as leading to Sabelnikov and evidence against him.
"Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos' operators accountable fo their actions," Richard Domingues Boscovich, senior attorney for Microsoft's digital crimes unit, wrote in a blog post. "We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity."
Boscovich said that even though the botnet is inactive, thousands of computers are still infected with its malware.