Kelihos botnet maker was found in Russia by Microsoft

[Prorootect]

Kelihos botnet maker was found in Russia by Microsoft topic for you ..


Microsoft: Worm Operator Worked at Antivirus Firm: on KrebsOnSecurity.com: https://krebsonsecurity.com/2012/01/microsoft-worm-author-worked-at-antivirus-firm/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

Quote:
'In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year.

In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as responsible for the operations of the botnet. Microsoft’s amended complaint (PDF) filed with the U.S. District Court for the Eastern District of Virginia states that Sabelnikov worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.'

And you have his nice shot, thank you KrebsOnSecurity!

PS. And you probably remember another picture of another handsome Russian, Leo Kuvayev / BadCow here on Spamhaus.org: The Top 10 Spammers: http://www.spamhaus.org/statistics/spammers.lasso
Leo Kuvayev nice shot:

Yeah, these Eastern Boys .. also: Trojan Ransom (WinLock, LockScreen) .. makers, propagators?.. thread on sysinternals.com forum here: http://forum.sysinternals.com/topic22054.html
.

 

[Nathan Wootton]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

anybody know what company he worked for ? i was thinking a EX kaspersky employee

 

[iPanik]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

The article says Agnitum and some company called Teknavo.

However , do note the keyword "former". Wherever he worked, he's not there anymore.

 

[Nathan Wootton]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

undoubtedly Ive never heard of "teknavo" though... hmm interested me now lol

 

[Prorootect]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

.
Motto: 'Wherever he worked, he's not there anymore.'


Wherever he worked, he's not there anymore. Hmm, who knows where he is now ..:huh:

It may have a more lucrative occupation, than botnets, maybe his youth must get fling with the girls, or can give yourself time to reflect on the sunny island somewhere, to invent new attacks on the Internet .. So once tasted the forbidden fruit, it will be difficult to change job, you can understand it ..

In any case, it looks good this boy:
Andrey Sabelnikov, botnets maker from Russia:

- вот молодец!!! (cool, my young boy!)



I would have advised him to stop botnets, and concentrate on girls. The quality of his photography - equal to the beauty of ladies (Andrey Sabelnikov photographies on photosight.ru): http://www.photosight.ru/users/288316/

... and photo album (all 759) here on vk.com: http://vk.com/photo2830192_271323422?all=1


"""""""""""""""""""""""""""""""""""""""""""""

PS. Returning to the serious stuff: look on thenextweb.com read by Alex Wilhelm:
The creator of the Kelihos botnet, which Microsoft whacked, worked for an antivirus firm:
http://thenextweb.com/microsoft/2012/01/24/the-creator-of-the-kelihos-botnet-which-microsoft-whacked-worked-for-an-antivirus-firm/

Quote:
'Microsoft alleges that Kelihos was coded, and grown to its full stature by Sabelnikov. Such botnets, which infect thousands and thousands of machines, not only put consumers at risk, but also tarnish Microsoft’s reputation as a purveyor of quality software; Microsoft has a made a mostly successful push in recent years to lock down its code, and provide free safety to0ls to its users.'
'I disagree that Microsoft is on any sort of charity kick with this action, but it is quite intriguing that to stop such threats, the firm is willing to dig all the way to the root of the issue, the hands that created it.'
.

 

[Prorootect]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

.
Accused Kelihos botmaster's former employer 'angered' at revelation: on ComputerWorld.com: https://www.computerworld.com/s/article/9223712/Accused_Kelihos_botmaster_s_former_employer_angered_at_revelation?taxonomyId=17

QUOTE:
' "We are extremely disappointed and angered that someone who was a member of our team could be implicated in this type of activity," Michael Wood, Returnil's vice president of product management, said in an email reply to questions posed Tuesday.'

'According to Sabelnikov's LinkedIn account -- which was drastically pruned yesterday -- he worked for Returnil from November 2008 until December 2011 as a lead research engineer.'

' "He left of his own volition to pursue other opportunities due in large measure to the project he was working on being terminated," Wood said ..'

'Sabelnikov's LinkedIn page claimed that after leaving Returnil he worked for Teknavo, a consultancy that, among other things, develops software for financial organizations.'

'Wood distanced Returnil from its former employee.'

""""""""""""""""""""""""""""""""""""

Then Andrey it's abandoned by all .. except Microsoft and me.
.

 

[Gnosis]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

anybody know what company he worked for ? i was thinking a EX kaspersky employee

As far as I know, Kaspersky' s headquarters are in Poland. Unless they have a branch in Russia, I would assume it would be the makers of Dr. Web, but their headquarters are in Moscow. (This guy is in St. Pyotrsburg)

It is hard telling what outfit he was with. I am sure there are all kinds in western Russia. The makers of Dr. Web Cureit are the only Ruskies that I know of.

 

[Gnosis]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

I would have advised him to stop botnets, and concentrate on girls. The quality of his photography - equal to the beauty of ladies (Andrey Sabelnikov photographies on photosight.ru):

Russian spies love their photography, then again, so do Japanese tourists.

 

[Prorootect]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

.
Hi ZOU, it seems to me that you are really super likeable!

'This guy is in St. Pyotrsburg' - aaa ..

Your spelling is very innovative, I like it. Germanized name of St. Petersburg, slavicized St. Pyotrsburg, it's new for me.

Look, a guy from St. Pyotrsburg, you see: http://www.bebo.com/Profile.jsp?MemberId=3576374971 - He likes red.:sleepy:

It's a good trend when they could slavicized more city names, eg. : Koenigsburg (or Königsburg), Orenburg ... Ekaterinburg ..

'Russian spies love their photography, then again, so do Japanese tourists.' - Yeah, I see.
- Ouais mais bon: http://www.ouaismaisbon.ch/ - This means: it's true, but there are subjects more interesting than this.

'Ruskies' = Russians?.. very pleasant your spelling vey pleasant
.

 

[Nathan Wootton]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

anybody know what company he worked for ? i was thinking a EX kaspersky employee

As far as I know, Kaspersky' s headquarters are in Poland. Unless they have a branch in Russia, I would assume it would be the makers of Dr. Web, but their headquarters are in Moscow. (This guy is in St. Pyotrsburg)

It is hard telling what outfit he was with. I am sure there are all kinds in western Russia. The makers of Dr. Web Cureit are the only Ruskies that I know of.

ERMM Kaspersky Lab

Type Private
Industry Computer software
Security software
Founded Moscow, Russia (1997)
Founder(s) Eugene Kaspersky
Headquarters Moscow, Russia
Area served Worldwide
Key people Eugene Kaspersky (CEO)
Natalia Kaspersky (Chairperson)
Products Kaspersky Anti-Virus
Kaspersky Internet Security
Kaspersky Mobile Security
Kaspersky PURE
Kaspersky Open Space Security
Integrated security
Revenue US $480 million (2009)[1]
Profit US $67.3 million 69% (2006)[2]
Employees over 2,000 (March 2010)[3]
Website Kaspersky.com

 

[Prorootect]

RE: Kelihos botnet maker was found in Russia's anti-malware firm

.
NEWS:

Mr. Waledac: The Peter North of Spamming: on KrebsOnSecurity: http://krebsonsecurity.com/2012/01/mr-waledac-the-peter-north-of-spamming/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

QUOTE:
'Kelihos shares a great deal of code with the infamous Waledac botnet' ..
'On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.'
'Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.'
'A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5).'

So look always here on Spamhaus spammers lasso: http://www.spamhaus.org/statistics/spammers.lasso

'There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.

In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:

“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”

It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.'

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

OK., KrebsOnSecurity make care of Peter Severa, and I want to follow the trials and tribulations of our Andrey Sabelnikov.
Then you know that Andrey has hidden all these pretty pictures of the eyes of many public? Click on the picture links of my Post #5 - you know, how horrible!
Andrey - is a shame,, shame ..
Fortunately we have here your two beautiful pictures still intact.

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

.

 

[Prorootect]

.
Letter - comment by Andrey Sabelnikov: http://sabelnikov.livejournal.com/2012/01/27/ - I used Google translator:



'Andrey Sabelnikov
-------------------------------------------------- ------------------------------

My comments on the applications Microsoft.
sabelnikov
January 27th, 3:30 I Sabelnikov Andrew, I am a programmer with nine years experience, graduated from St. Petersburg State University of Aerospace Instrumentation in 2003, since 2002, working in the highly respected Russian and international IT-companies.

On January 21, 2012, arriving first in America in the pre-planned long-term productive business trip, having spent two days there, I was an immense surprise and dismayed to learn from the press that I was accused of a felony in connection with the activities of a botnet Kelihos.

I did not commit this crime, has never participated in the management of botnets and any other similar programs, and especially not extracted from it any benefit.

However, after serious consideration and consultation with my employer, given their ignorance of American law, feeling his helplessness in this situation and not having sufficient funds to qualified legal assistance, I made the decision difficult for me to interrupt the trip and temporarily return to Russia, so here, in a familiar environment to me to defend my innocence.

I want to emphasize that I do not have any relation to the activities Kelihos and spam. Unfortunately, an avalanche of press coverage, indicating false facts, distort reality, unwittingly caused the companies in which I worked and worked, and I am personally a huge moral hazard and the impact on business reputation.

I submit this letter to the company Microsoft, the company Kaspersky Labs, which was listed in an official statement, Microsoft and their public court documents, which I now learn, and ready, in accordance with Russian law, to give the necessary explanations and answers to their questions.'


""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

So .. it seems that the dialogue ensues .. in eHackingNews.com: Kelihos botnet suspect "Andrey Sabelnikov" proclaims innocence: http://www.ehackingnews.com/2012/01/kelihos-botnet-suspect-andrey.html

'Microsoft said it stood by the accusation it made earlier this month.

"As this is a case pending in court, we cannot comment further except to say that we look forward to seeing Mr Sabelnikov in court so we can continue this discussion," said Richard Boscovich, senior attorney for Microsoft's Digital Crime Unit.'
.

 

[Prorootect]

Kelihos botnet news: Kelihos/Hlux botnet returns with new techniques: on securelist.com: http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques

QUOTE:
'Our investigation revealed that the new version appeared as early as September 28, right after Microsoft and Kaspersky Lab announced the neutralization of the original Hlux/Kelihos botnet.
The controllers list in the new version remained almost the same and slightly changed over time.
This botnet continues to get orders from spammers and send spam in different languages ..'

'The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list.'

'We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end.'

"""""""""""""""""""""""""""""""""""""""""""""""""""""""""

Khelikos Resurrection story:

"Slain" Kelihos botnet still spams from beyond the grave: on TechLife 917wy.com: by Dan Goodin: http://www.917wy.com/business/news/2012/02/slain-kelihos-botnet-still-spams-from-beyond-the-grave.ars

.

 

[Gnosis]

ERMM Kaspersky Lab

Type Private
Industry Computer software
Security software
Founded Moscow, Russia (1997)
Founder(s) Eugene Kaspersky

Thanks, Nathan.

Hi ZOU, it seems to me that you are really super likeable!

I like you too, Prorootetc.

 

[Prorootect]

.
Very sharp comment, asking the right questions on KrebsOnSecurity: by Nick P, January 24, 2012 at 2:29 pm:

'Did anyone else notice the implications of this? The malware’s source code contained instructions to utilize a specific site with this guy’s actual name and other personal references in it. That’s either one of the dumbest mistakes in malware history or he’s being framed. It would be so easy to hack some AV engineer’s site, put malware on it, and make my sploits download from him to focus the authorities on him. Add to it that the two guys fingering him for this are under police pressure & crooks often try to use scapegoats to get out of jail sentences.

So, to get an idea here, how many big botnet operators have used their own name, sites with PII, etc. in the operation of a botnet or its source code? Does this happen often? Very rarely? Is it a first?'


I too think that Andrey Sabelnikow is not a naive inexperienced child.
.

 

[Prorootect]

'Long life to Kelihos!' read title on community.websense.com: http://community.websense.com/blogs/securitylabs/archive/2012/02/17/long-life-to-kelihos.aspx - or here: http://securityphresh.com/#top-security-news

QUOTE:
'During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense® Security Labs™ Spam Trap system has detected a variant of Kelihos that is apparently still active.

We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity. As shown below, the bot generates a first request to an IP address that is listening on HTTP port 80 ..'

Aaa, Port 80!
- Have you closed your port 80, please?..
.