Since taking down the Kelihos botnet with our partners Kyrus Inc. and Kaspersky Labs in September, the Microsoft Digital Crimes Unit has continued to actively investigate the case and pursue new leads with the goal of holding the perpetrators behind the botnet accountable for their actions.

In an amended complaint filed today with the U.S. District Court for the Eastern District of Virginia, Microsoft alleges that Andrey N. Sabelnikov, a citizen of Russia, is responsible for the operations of the Kelihos botnet.

Mr. Sabelnikov is not the first to be named as a defendant in this case, which has already served as the legal foundation for the successful disruption of a global botnet harming thousands of victims worldwide. In the original complaint filed in September, Microsoft alleged that Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 owned a domain cz.cc and used cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet.

Our investigation showed that while some of the defendants’ subdomains may have been legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities. On Oct. 26, we successfully settled with defendants Dominique Alexander Piatti and dotFREE Group, allowing us to dismiss the case against them. Today, thanks to their cooperation and new evidence, we have named a new defendant to the civil lawsuit we believe to be the operator of the Kelihos botnet.

In today’s complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware. Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware. Microsoft also alleges that Mr. Sabelnikov registered more than 3,700 “cz.cc” subdomains from Mr. Piatti and dotFREE Group SRO, and misused those subdomains to operate and control the Kelihos botnet.

All of Microsoft’s legal filings and evidence in this case can be found at http://www.noticeofpleadings.com. Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos’ operators accountable for their actions. We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity.

We also remain committed to taking what we learn from takedown operations such as these to help better arm the ‘good guys’ in protecting people from the threat. We continue to explore ways to make the information learned from our takedowns more readily available to others who can take action to address infections in a more systematic and automated manner. Our objective is to effectively put information and tools into the hands of those that can help protect innocent computer users. We will continue to drive innovation towards this end as long as botnets continue to victimize society.

Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware. Please visit support.microsoft.com/botnets for free information and tools to clean your computer from malicious software, and visit http://www.microsoft.com/security for more information on online safety and security.

This case is certainly not over. Look for more updates as the Kelihos investigation and Microsoft’s overall fight to disrupt botnets continue. You can also follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit