Microsoft identifies suspected Kelihos botnet author

[ronjor]

Quote:

by Steven Musil

Four months after taking down the Kelihos botnet, Microsoft today identified the man it believes was behind the massive infection designed to deliver spam and steal data.

http://news.cnet.com/8301-1009_3-573...-botnet-author

[ronjor]

Quote:

Microsoft doesn’t specify where Sabelnikov worked, but according to Sabelnikov’s LinkedIn page, from 2005 to 2007 he was a senior system developer and project manager for Agnitum, a Russian antivirus firm based in St. Petersburg. One of the company’s most popular products is Outpost, a free firewall program. Sabelnikov’s profile says he most recently worked for a firm called Teknavo, which makes software for companies in the financial services sector.

KrebsOnSecurity

[Cudni]

Are there more? Hope not

[JuanP1000]

http://arstechnica.com/business/news...osoft-says.ars

Quote:

The LinkedIn page states he was also lead research engineer for Returnil, another security vendor, between 2008 and 2011.

[m00nbl00d]

There are black sheep in every business; computer security business is not any different. You can be sure there are more out there. Who knows also within Microsoft itself.

[Coldmoon]

Quote:

Originally Posted by JuanP1000

http://arstechnica.com/business/news...osoft-says.ars

What is written on a LinkedIN page does not always reflect reality. He was, at best, simply a journeyman coder who worked on a small portion of a server project and was ultimately let go due to quality issues with his work...

[Searching_ _ _]

Quote:

Originally Posted by Coldmoon

He was, at best, simply a journeyman coder who worked on a small portion of a server project and was ultimately let go due to quality issues with his work...

I wasn't aware there was a Union for Programmers. How long was the apprenticeship? What competency tests did he pass to secure his journeyman certification? Does he have OSHA certification? When he was laid off did he keep in touch with his business agent?

[Dermot7]

"Accused Kelihos botmaster's former employer 'angered' at revelation": https://www.computerworld.com/s/arti...?taxonomyId=17

Quote:

A security-related company that until late December employed the Russian developer who allegedly created the Kelihos botnet said today it was "extremely disappointed and angered" at the revelation.

Returnil, which sells the Virtual System Pro program, confirmed Wednesday that Andrey Sabelnikov had worked in its St. Petersburg office until Dec. 21, 2011.

[LockBox]

Mike (Coldmoon),

Deal with this like a professional. Don't try to sweep it under the rug and pretend it's no big deal. That's the worst thing you can possibly do.

According to your quotes in Computerworld, you are angry. Show your anger and let your customers know how they have/ have not been compromised. Deal with it. Straight ahead. Google 'Tylenol' and 'Johnson & Johnson'. It is the textbook example of how to deal with a crisis. So far, you appear to be doing the opposite in distancing yourself and making light of his job, etc.

Mike, please read: http://iml.jou.ufl.edu/projects/fall02/susi/tylenol.htm

For those who haven't read Mike's response to Computerworld, here is the article:
http://www.computerworld.com/s/artic...&taxonomyId=17

ON EDIT: Mike, I love your product. Don't let it be ruined. I just checked your Official Support Forum (here at Wilders) and you have not even addressed this! Unbelievable, frankly. This should be crisis-management mode - sticky post(!) - explaining all you know. Seeing NOTHING except questions from customers does NOT look good. If you have time to talk with Computerworld - take a step back and realize your customers and potential customers need to hear from you in an official capacity - ASAP. I wish you the best.

[ichito]

@LockBox...
I think it's not so simply...quote from our forum

Quote:

November 11th, 2011, 04:19 PM
Coldmoon
Returnil Moderator

Default Re: RVS Pro is impressive: some questions
Hi,
I have updated the engineering team and will update you on when the new build is ready for final field trials to ensure the issues are verified as corrected.

Mike

http://www.wilderssecurity.com/showp...18&postcount=6

[LockBox]

Quote:

Originally Posted by ichito

@LockBox...
I think it's not so simply...quote from our forum

http://www.wilderssecurity.com/showp...18&postcount=6

I'm not even sure what that means. The relevance to managing this crisis is what exactly?
What I do know is that the worst that can be said in your official support forum is - nothing.

[Hungry Man]

Where's the crisis?

[LockBox]

Quote:

Originally Posted by Hungry Man

Where's the crisis?

Microsoft has identified the man who was behind the huge Kelihos botnet infection. That man claims to have been a lead research engineer at Returnil for just over three years (from Nov. 2008 until just last month). Mike has told Computerworld that the man was, in fact, an employee, but bickered about the title. This man working for your security company with products out on computers all over the world - that's a crisis for Returnil.

Just think...when Kelihos botnet was creating its havoc....its mastermind was working for Returnil(!). Is that not a crisis?

Kelihos, which is sometimes grouped in with the more well-known Waledac botnet, is a fairly small botnet, at an estimated 41,000 machines, but Microsoft officials said that the network was being used for a large variety of activities, including child pornography.

https://threatpost.com/en_us/blogs/m...-botnet-092711

[Hungry Man]

Doesn't seem that awful. It's not like Returnil was sanctioning this, they had no idea what he was doing. He wasn't a high level employee, he was just some worker who was hacking on the side.

Soooo many IT workers have screwed with people. Not like "Create a botnet" or anything but gone through info etc. I believe I even recall a case involving blackmail.

The company released a statement saying they just feel so darn awful and frankly that's as much as it takes. This isn't tylenol - people aren't dying.

What do you want? A product recall on Returnil?

[ichito]

I just wanted to say that Coldmoon informed us about some problems and it was not so long before resignation of Sabelnikov. I don't know if mentioned problems was associated with Sabelnikov, but it's possible. Coldmoon as the chief had no obligation to shout on the forums:
"Hey people - I have a problem in the company with a worker!"
That would be stupid. Even more ... he should not to do so ... these are internal matters between him and his staff.
I know it's uncomfortable and awkward situation for Returnil, but I guess we have just wait for new information and don't judge people / companies when we have so little knowledge.
BTW ... did you find somewhere statements if Teknavo or Agnitum ... I don't

[Cudni]

ot posts removed.

[Coldmoon]

Hi All,
Our reply to Computerworld's report was completely accurate and should have left absolutely no doubt as to how we feel about the entire thing. It is repugnant to me personally and to the rest of us here at Returnil that someone, anyone would do something like what Mr. Sabelnikov is accused of having done. (emphasis mine)

Now, to address LockBox's concerns:

Quote:

Deal with this like a professional. Don't try to sweep it under the rug and pretend it's no big deal. That's the worst thing you can possibly do.

Nothing could be further from the truth. We are not sweeping anything under the rug and as you can see, we gave a very forceful response to the Computerworld article as linked to by Searching_ _ _ above. I fail to see how that reply would leave anyone in doubt as to how we view this at any level.

Quote:

According to your quotes in Computerworld, you are angry. Show your anger and let your customers know how they have/ have not been compromised. ...

This is a valid critique. To address this, we have created the following FAQ for convenient reference:

Quote:

Did Sabelnikov ever work for Retrunil as claimed on his LinkedIN page?

Yes, he worked as a junior programmer on a test R&D project at our St Peterburg office

Did he ever work on released Returnil products?

No, only on research. No code or output from Sabelnikov has ever been included in RVS products

Did he have access to any RVS source code?

No, the St Petersbug office had no direct access to the source repositories for our products. These, along with our development teams are not located in the Russian Federation; Nor are they VPN'd in any way.

What have you done about this?

Despite the above, we have carried out a complete audit on our source code to be absolutely certain and can verify that it has not been compromised in any way.

The code review began immediately following the publication of the original Arstechnica article and concluded early today Central European time. We apologize for the delay here, but the review needed to be completed before we could say anything substantive on this specific topic.

Quote:

ON EDIT: Mike, I love your product. Don't let it be ruined. I just checked your Official Support Forum (here at Wilders) and you have not even addressed this! ...

This entire thing has unfolded very quickly and I felt it was best to initially address this topic where it was being discussed rather than just a statement in the support forums. As Ron broke the news in this forum, I saw no reason to divide the discussion when this thread already existed.

I plan to put up a sticky with the FAQ above and a link to this thread for further reading as soon as I can, but please be patient. This entire episode has been a shock and it was vitally important to complete the code review first which I hope you can understand.

To ichito:

Be assured that no code was compromised and that Sabelnikov had nothing whatsoever to do with the RSS/RVS projects in any way, shape, or manner; including any past, current, or future development. Nor did he have any access or connection to the remote management and product registration systems. His only duties were part of the R&D project mentioned above that dealt with malware research and analysis.

[Spooony]

Quote:

The spread of the Kelihos Botnet is not related to any Microsoft vulnerability but instead achieved by misleading unwitting users into taking steps that result in the infection of their machines

http://www.noticeofpleadings.com/ima...e_stamped_.PDF

The first binaries of Win32/Kelihos that were discovered used the UPX packer to reduce the size of the binary executable. A few days later, the malware switched to a custom packer. We think the new software protection layer was outsourced to someone with deep knowledge of anti-virus engines and with the ability to program a packer straight in assembly language. This skill set seems distant from the one shown by the main developers of Win32/Kelihos.

At the end of February, Win32/Kelihos started using a new propagation mechanism: the LNK parsing vulnerability that was previously exploited by Stuxnet (CVE-2010-2568). Later variants added the creation of malicious LNK files on removable drives in an effort to spread to other computers.

The infection ratio of Win32/Kelihos has been very limited compared to large infections like Win32/Conficker and other big malware families. On the other hand, we have been able to see the impact of code modifications on the detection ratio for this malware family. Evolution of the detection statistics collected from ESET’s ThreatSense system from 1 January 2011 until 31 May 2011. This figure shows that the malware propagation increased significantly after the inclusion of the CVE-2010-2568 (LNK) exploit into the malware at the end of February.
http://go.eset.com/us/resources/whit...011-bureau.pdf

Microsoft suspects him and it looks like someone with lot of experience had input into the updated version but why did they lie about that it didn't use a security hole. One from 2010 managed to exploit windows with the same one Stuxnet used before that. The exploit was still being effective in 2011!

[siljaline]

The official statement made by Microsoft's DCU.

[ichito]

Thanks Coldmoon.

[Dermot7]

"Microsoft's Kelihos kingpin suspect: It wasn't me" :

http://www.theregister.co.uk/2012/01...uspect_denial/

Quote:

The Russian man named by Microsoft as the mastermind behind the Kelihos botnet has stepped forward to plead his innocence.