Microsoft accuses Russian of masterminding Kelihos botnet

Microsoft’s determined campaign against the Kelihos botnet has seen the company file a lawsuit against the Russian man it now believes to be responsible for its operations.

In a filing to a Virginia court, Microsoft alleges that Andrey N. Sabelnikov from St. Petersburg contributed code for the malware that set up the bot, registering 3,700 Czech .cz subdomains to aid its operation.

The company’s campaign against Kelihos dates back to last September when it launched a similar court action against a Czech-based domain provider the dotFREE Group and its owner Dominique Piatti, accused of hosting the domains that made Kelihos possible. Both were later exonerated after they agreed to aid Microsoft’s Kelihos investigation.

The company also named “John Does 1-22” as being involved in Kelihos, one of whom must have included Sabelnikov himself.

Kelihos was always a pretty modest botnet – the number of infected hosts is not thought to have gone above 45,000 – but Microsoft sees disrupting every botnet using legal means as strategically important.

“Microsoft is committed to following the evidence wherever it leads us through the investigation in order to hold Kelihos’ operators accountable for their actions,” the company said in a new blog post on the case.

“We believe this is important both because of the harm caused by Kelihos and because all botnet operators should understand that there are risks and consequences for engaging in malicious activity.”

The case bears a superficial resemblance to last week’s naming of the Russians alleged by Facebook and other security companies to have been involved in the Koobface worm that assaulted users of various social networks between 2008 and 2010.

Critics in the security industry have voiced reservations about this ‘naming and shaming’ approach, worrying that it could compromise a possible future legal case against suspects.

The major difference is that Microsoft’s approach is always to pursue suspects using civil actions through the courts during which supporting evidence must be examined by a judge. This approach has proved successful, closing down the operations of major botnets such as Rustock and Waledec.

More recently, the company quietly announced that it would give CERTS, ISPs and police access to its botnet monitoring system through an API.