Microsoft identifies suspected Kelihos botnet author

Discussion in 'malware problems & news' started by ronjor, Jan 24, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    172,816
    Location:
    Texas
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    172,816
    Location:
    Texas
    KrebsOnSecurity
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    Are there more? Hope not
     
  4. JuanP1000

    JuanP1000 Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    43
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There are black sheep in every business; computer security business is not any different. You can be sure there are more out there. Who knows also within Microsoft itself.
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I wasn't aware there was a Union for Programmers. How long was the apprenticeship? What competency tests did he pass to secure his journeyman certification? Does he have OSHA certification? When he was laid off did he keep in touch with his business agent?
    :D
     
  8. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    "Accused Kelihos botmaster's former employer 'angered' at revelation": https://www.computerworld.com/s/art..._employer_angered_at_revelation?taxonomyId=17
     
  9. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Mike (Coldmoon),

    Deal with this like a professional. Don't try to sweep it under the rug and pretend it's no big deal. That's the worst thing you can possibly do.

    According to your quotes in Computerworld, you are angry. Show your anger and let your customers know how they have/ have not been compromised. Deal with it. Straight ahead. Google 'Tylenol' and 'Johnson & Johnson'. It is the textbook example of how to deal with a crisis. So far, you appear to be doing the opposite in distancing yourself and making light of his job, etc.

    Mike, please read: http://iml.jou.ufl.edu/projects/fall02/susi/tylenol.htm

    For those who haven't read Mike's response to Computerworld, here is the article:
    http://www.computerworld.com/s/arti...evelation?taxonomyName=Security&taxonomyId=17

    ON EDIT: Mike, I love your product. Don't let it be ruined. I just checked your Official Support Forum (here at Wilders) and you have not even addressed this! Unbelievable, frankly. This should be crisis-management mode - sticky post(!) - explaining all you know. Seeing NOTHING except questions from customers does NOT look good. If you have time to talk with Computerworld - take a step back and realize your customers and potential customers need to hear from you in an official capacity - ASAP. I wish you the best.
     
    Last edited: Jan 25, 2012
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,998
    Location:
    Poland - Cracow
    @LockBox...
    I think it's not so simply...quote from our forum
    https://www.wilderssecurity.com/showpost.php?p=1971118&postcount=6
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    I'm not even sure what that means. The relevance to managing this crisis is what exactly?
    What I do know is that the worst that can be said in your official support forum is - nothing.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Where's the crisis?
     
  13. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Microsoft has identified the man who was behind the huge Kelihos botnet infection. That man claims to have been a lead research engineer at Returnil for just over three years (from Nov. 2008 until just last month). Mike has told Computerworld that the man was, in fact, an employee, but bickered about the title. This man working for your security company with products out on computers all over the world - that's a crisis for Returnil.

    Just think...when Kelihos botnet was creating its havoc....its mastermind was working for Returnil(!). Is that not a crisis?

    Kelihos, which is sometimes grouped in with the more well-known Waledac botnet, is a fairly small botnet, at an estimated 41,000 machines, but Microsoft officials said that the network was being used for a large variety of activities, including child pornography.
    https://threatpost.com/en_us/blogs/microsoft-takes-down-kelihos-botnet-092711
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Doesn't seem that awful. It's not like Returnil was sanctioning this, they had no idea what he was doing. He wasn't a high level employee, he was just some worker who was hacking on the side.

    Soooo many IT workers have screwed with people. Not like "Create a botnet" or anything but gone through info etc. I believe I even recall a case involving blackmail.

    The company released a statement saying they just feel so darn awful and frankly that's as much as it takes. This isn't tylenol - people aren't dying.

    What do you want? A product recall on Returnil?
     
  15. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,998
    Location:
    Poland - Cracow
    I just wanted to say that Coldmoon informed us about some problems and it was not so long before resignation of Sabelnikov. I don't know if mentioned problems was associated with Sabelnikov, but it's possible. Coldmoon as the chief had no obligation to shout on the forums:
    "Hey people - I have a problem in the company with a worker!"
    That would be stupid. Even more ... he should not to do so ... these are internal matters between him and his staff.
    I know it's uncomfortable and awkward situation for Returnil, but I guess we have just wait for new information and don't judge people / companies when we have so little knowledge.
    BTW ... did you find somewhere statements if Teknavo or Agnitum ... I don't :)
     
  16. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    ot posts removed.
     
  17. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi All,
    Our reply to Computerworld's report was completely accurate and should have left absolutely no doubt as to how we feel about the entire thing. It is repugnant to me personally and to the rest of us here at Returnil that someone, anyone would do something like what Mr. Sabelnikov is accused of having done. (emphasis mine)

    Now, to address LockBox's concerns:

    Nothing could be further from the truth. We are not sweeping anything under the rug and as you can see, we gave a very forceful response to the Computerworld article as linked to by Searching_ _ _ above. I fail to see how that reply would leave anyone in doubt as to how we view this at any level.

    This is a valid critique. To address this, we have created the following FAQ for convenient reference:

    The code review began immediately following the publication of the original Arstechnica article and concluded early today Central European time. We apologize for the delay here, but the review needed to be completed before we could say anything substantive on this specific topic.

    This entire thing has unfolded very quickly and I felt it was best to initially address this topic where it was being discussed rather than just a statement in the support forums. As Ron broke the news in this forum, I saw no reason to divide the discussion when this thread already existed.

    I plan to put up a sticky with the FAQ above and a link to this thread for further reading as soon as I can, but please be patient. This entire episode has been a shock and it was vitally important to complete the code review first which I hope you can understand.

    To ichito:

    Be assured that no code was compromised and that Sabelnikov had nothing whatsoever to do with the RSS/RVS projects in any way, shape, or manner; including any past, current, or future development. Nor did he have any access or connection to the remote management and product registration systems. His only duties were part of the R&D project mentioned above that dealt with malware research and analysis.
     
  18. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    http://www.noticeofpleadings.com/im...Microsoft_for_Emergency_TRO_date_stamped_.PDF

    The first binaries of Win32/Kelihos that were discovered used the UPX packer to reduce the size of the binary executable. A few days later, the malware switched to a custom packer. We think the new software protection layer was outsourced to someone with deep knowledge of anti-virus engines and with the ability to program a packer straight in assembly language. This skill set seems distant from the one shown by the main developers of Win32/Kelihos.

    At the end of February, Win32/Kelihos started using a new propagation mechanism: the LNK parsing vulnerability that was previously exploited by Stuxnet (CVE-2010-256:cool:. Later variants added the creation of malicious LNK files on removable drives in an effort to spread to other computers.

    The infection ratio of Win32/Kelihos has been very limited compared to large infections like Win32/Conficker and other big malware families. On the other hand, we have been able to see the impact of code modifications on the detection ratio for this malware family. Evolution of the detection statistics collected from ESET’s ThreatSense system from 1 January 2011 until 31 May 2011. This figure shows that the malware propagation increased significantly after the inclusion of the CVE-2010-2568 (LNK) exploit into the malware at the end of February.
    http://go.eset.com/us/resources/white-papers/vb2011-bureau.pdf

    Microsoft suspects him and it looks like someone with lot of experience had input into the updated version but why did they lie about that it didn't use a security hole. One from 2010 managed to exploit windows with the same one Stuxnet used before that. The exploit was still being effective in 2011!
     
    Last edited: Jan 26, 2012
  19. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,617
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,998
    Location:
    Poland - Cracow
    Thanks Coldmoon.
     
  21. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.