Accused Kelihos botnet maker worked for two security firms

-


A Russian man who was accused Monday by Microsoft of creating the Kelihos botnet worked for a pair of security-related firms from 2005 to 2011, according to evidence on the Web.

In an amended complaint filed yesterday in federal court, Microsoft identified the man as Andrey Sabelnikov of St. Petersburg.

According to his LinkedIn profile, Sabelnikov worked for two Russian companies that specialize in security, including the antivirus firm Agnitum, for the last six years.

Agnitum, which is based in St. Petersburg, develops and sells a Windows antivirus product called OutPost Antivirus Pro as well as a personal firewall for Windows PCs. A company spokesman confirmed today that Sabelnikov worked for the firm from September 2005 until November 2008.

Sabelnikov held a number of tiles, ending his time with Agnitum as a project manager responsible for everything from "designing the product architecture" to "implementing ... critical parts of code."

In an emailed reply to questions, the Agnitum spokesman said that Sabelnikov "resigned by his own will in late 2008."

From November 2008 until December 2011, Sabelnikov worked for another Russian company, Retunil, which also markets security software. Returnil's primary product, Virtual System Pro, clones an existing copy of Windows in a virtual machine as a way to protect users from malware.

Malware researchers often use virtual machines (VM) to test and analyze attack code because if the VM becomes infected, it can simply be wiped clean or restored to a pre-infection state.

Returnil did not reply to a request for comment on Sabelnikov's three-year stint, during which he was a lead research engineer.

The last two months, Sabelnikov worked for Teknavo, a consultancy that, among other things, develops software for financial organizations. Teknavo has an office in St. Petersburg.

While Sabelnikov's LinkedIn page was flush with details on his work history earlier Tuesday, it has been revised since then, and now lists only his time spent at an unnamed technical college and the St. Petersburg State University of Aerospace Instrumentation.

Microsoft first filed its Kelihos lawsuit last September as part of a takedown of the botnet, which controlled an estimated 45,000 compromised computers and had allegedly sent massive amounts of spam -- as many as 4 billion messages daily -- to users worldwide.

At that time, Microsoft identified only Dominique Piatti, the operator of the Czech domain hosting service dotFREE Group SRO, but pegged another 22 "John Doe" defendants.

In October, Microsoft dropped the charges against Piatti and dotFREE after reaching a settlement.

In the amended complaint submitted Monday, Microsoft accused Sabelnikov of creating the malware used to infect PCs and administering the resulting Kelihos botnet.

Microsoft said that it identified Sabelnikov through its analysis of the malware. "The harmful computer software used to control the Kelihos botnet contains information that identifies Defendant and demonstrates that Defendant created, operated and controlled the Kelihos botnet," the new filing stated.

In a blog post written Monday by Richard Boscovich, a senior attorney with Microsoft's Digital Crimes Unit, the company also accused Sabelnikov of registering more than 3,700 "cz.cc" subdomains from dotFREE, then using those subdomains to control the botnet.

If Microsoft's allegations are on target, Sabelnikov may have crafted Kelihos while working at Agnitum, Returnil, or both: The malware was first discovered in late 2009.

One interesting aspect of the case is that many security experts connected Kelihos with older malware that had been the basis for the Waledac botnet, which was brought down in early 2010, again at the direction of a court order obtained by Microsoft.

According to experts, the Waledac and Kelihos Trojans shared code; researchers had speculated that the latter may have been an attempt to recruit a new army of hacked PCs after the former's demise.

While it's possible that Sabelnikov created Kelihos using information gleaned from his work developing security software, it's unlikely, said Alfred Huger, vice president of development at Sourcefire, and one of the co-founders of Immunet, a cloud-based security company acquired by Sourcefire last year.

"Full reverse analysis is not typical for [antivirus] analysts," said Huger, referring to the practice of taking apart a piece of software and looking at its component parts in the hope of duplicating its operation. "It's not unheard of to fully reverse engineer malware, but it's usually for exceptional malware that is in the public eye at the time."

Even if security analysts do reverse engineer a piece of malware, that doesn't guarantee they'll end up with working code, added Huger.

"Typically when reverse engineering is done, the binary is reduced to pseudo-code," he said. "It's meant to illustrate what the file does.... It's not something you could generally compile into a new working file."

Sabelnikov did not reply to a request for comment. His profile page on the Russian social networking site Vkontakte.ru, which was available earlier Tuesday, has since been hidden from public view.

ComputerWorld

Comments

Post a Comment

Popular posts from this blog

Huge Japan Quake Cracked Open Seafloor

-
The March 2011 megaquake off the coast of Japan opened up fissures as wide as 6 feet (3 meters) in the seafloor, a new study finds. The fissures now scar the seafloor where peaceful clam beds once lay, according to Takeshi Tsuji, a researcher at Kyoto University in Japan . Along with seismic studies, the fissures, revealed by manned submersible vehicles that investigated the seafloor after the quake, show how the crust around the quake's epicenter expanded and cracked.
Read more

Index for a million documents on Polish Jewry to go online

-
Researchers of Polish Jewry are set to gain online access to more than 1 million new documents following an agreement signed by the Polish State Archives. Under the agreement signed last week, Jewish Records Indexing-Poland will receive indices to the documents from the Polish archives authority and place them on the website of the online database within one year, a JRI-Poland statement read.
Read more

A lot of the bread in the US will no longer be kosher

-
The largest baking company in the United States will be removing kosher certification from nearly all of its bread and rolls. Bimbo Bakeries USA confirmed to JTA that it will be removing the certification. The company produces brands including Arnold, Sara Lee, Stroehmann, Freihofer’s and others. Two of its major brands, Entenmann’s and Thomas, will remain certified kosher. So, kosher eaters, your crumb doughnuts and English muffins are still safe. A couple of rye breads also will retain their certifications. “Removing the kosher certification from some of our products was strictly a business-process decision to enable more efficient operations, and it was one we did not make lightly,” Bimbo said in a statement. “Thomas’ and Entenmann’s products as well as Arnold’s and Levy’s Rye Breads will remain kosher-certified. It is important to note that we have heard our consumers’ concerns and are working with kosher certification organizations and discussing alternative solutions.” The c
Read more