Kelihos, now controlled by Kaspersky Labs, comprised some 41,000 infected computers worldwide and was capable of generating 3.8 million spam e-mails every day. But taking down, or taking over, a botnet is only half the problem. The infected computers remain infected and could be reactivated from new command servers. And if the originator/owner remains at large, he or she could simply build a new botnet.
Cleansing infected computers is largely the responsibility of the users. While it is theoretically possible for law enforcement to get involved (just as the Dutch police used a botnet’s command servers to send warnings to its infected members, and the UK’s SOCA notified Virgin Media about suspected SpyEye-infected customers), this is either legally questionable or logistically difficult.
The real solution is to ‘take-down’ the botnet’s originators. Back in September Microsoft alleged that Dominique Piatti and the dotFREE Group SRO were involved with Kelihos. “On Oct. 26, we successfully settled with defendants Dominique Alexander Piatti and dotFREE Group, allowing us to dismiss the case against them,” announced Microsoft yesterday. “Today,” it continues, “thanks to their cooperation and new evidence, we have named a new defendant to the civil lawsuit we believe to be the operator of the Kelihos botnet.”
That defendant, named in yesterday’s court filing, is Andrey Sabelnikov – from whom “Microsoft seeks injunctive and other equitable relief and damages... as the operator of a controlled network of computers, known as the “Kelihos” botnet...” Sabelnikov once worked for the Russian anti-virus company Agnitum.
The evidence, according to Brian Krebs, is that he was discovered when an unnamed security researcher with access to the Kelihos source code noticed that it contained debug code that downloaded a Kelihos installer from sabelnikov.net – a photography site registered to Sabelnikov’s name.