Four months after dismantling the nasty Kelihos botnet, Microsoft says it has tracked down the central figure behind it– naming Russian citizen Andrey N. Sabelnikov as a new defendant in its civil case over the botnet.

Microsoft announced the news in a blog post. The company alleges that Sabelnikov wrote the code for the Kelihos malware and was responsible for the operation of the botnet, which did everything from distributing spam to stealing financial information and orchestrating stock scams.

Here’s the kicker: Prior to his current employment as a freelancer for a software development and consulting firm, Sabelnikov “worked as a software engineer and project manager at a company that provided firewall, antivirus and security software,” according to Microsoft’s newly amended lawsuit.

That would be ironic, but not surprising, given the wealth of information Sabelnikov would have gleaned in such a job. One tactic allegedly used by the Kelihos operators was distributing fake antivirus software.

The legal documents don’t identify the antivirus and firewall company where Sabelnikov worked, or the consulting firm where he now freelances. However, the suit say he has a computer programming degree from the St. Petersburg State University of Aerospace Instrument Engineering.

Microsoft previously settled with the original defendants in the case, Dominique Alexander Piatti and dotFREE Group, who owned domains allegedly used to control the botnet. The company says it was able to identify Sabelnikov as the alleged operator thanks to their cooperation, as well as new evidence.

The company says Kelihos remains inactive, but thousands of computers are still infected. The company directs PC users to this site for more information and tools for cleaning the malware from a PC.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline


  • Guest

    Kudos to Microsoft for taking down these botnets and, in so doing, improving the Internet for everyone.

  • Anonymous

    This makes a lot of sense dude
    Total-Privacy dot US

  • Mark

    is a trojan family that distributes spam email messages. The spam messages could contain hyperlinks to installers of Win32/Kelihos
    malware. The malware may communicate with remote servers to exchange
    information that is used to execute various tasks, including sending
    spam email, capturing sensitive information or downloading and executing
    arbitrary files.These kind of Trojan’s should be nullified permanently.

  • Dante

    The botnet wasn’t terribly sophisticated, but it was custom enough that it sort of stood out,”

  • Guest

    Let me guess, Kaspersky???

  • Destination360 Travel Guides

    no surprise there…

Job Listings on GeekWork