Microsoft identifies suspected Kelihos botnet author

Are there more? Hope not

 

http://arstechnica.com/business/new...rked-for-antivirus-company-microsoft-says.ars

 

There are black sheep in every business; computer security business is not any different. You can be sure there are more out there. Who knows also within Microsoft itself.

 

What is written on a LinkedIN page does not always reflect reality. He was, at best, simply a journeyman coder who worked on a small portion of a server project and was ultimately let go due to quality issues with his work...

 

I wasn't aware there was a Union for Programmers. How long was the apprenticeship? What competency tests did he pass to secure his journeyman certification? Does he have OSHA certification? When he was laid off did he keep in touch with his business agent?

 

"Accused Kelihos botmaster's former employer 'angered' at revelation": https://www.computerworld.com/s/art..._employer_angered_at_revelation?taxonomyId=17

 

Mike (Coldmoon),

Deal with this like a professional. Don't try to sweep it under the rug and pretend it's no big deal. That's the worst thing you can possibly do.

According to your quotes in Computerworld, you are angry. Show your anger and let your customers know how they have/ have not been compromised. Deal with it. Straight ahead. Google 'Tylenol' and 'Johnson & Johnson'. It is the textbook example of how to deal with a crisis. So far, you appear to be doing the opposite in distancing yourself and making light of his job, etc.

Mike, please read: http://iml.jou.ufl.edu/projects/fall02/susi/tylenol.htm

For those who haven't read Mike's response to Computerworld, here is the article:
http://www.computerworld.com/s/arti...evelation?taxonomyName=Security&taxonomyId=17

ON EDIT: Mike, I love your product. Don't let it be ruined. I just checked your Official Support Forum (here at Wilders) and you have not even addressed this! Unbelievable, frankly. This should be crisis-management mode - sticky post(!) - explaining all you know. Seeing NOTHING except questions from customers does NOT look good. If you have time to talk with Computerworld - take a step back and realize your customers and potential customers need to hear from you in an official capacity - ASAP. I wish you the best.

 

@LockBox...
I think it's not so simply...quote from our forum

https://www.wilderssecurity.com/showpost.php?p=1971118&postcount=6

 

I'm not even sure what that means. The relevance to managing this crisis is what exactly?
What I do know is that the worst that can be said in your official support forum is - nothing.

 

Where's the crisis?

 

Microsoft has identified the man who was behind the huge Kelihos botnet infection. That man claims to have been a lead research engineer at Returnil for just over three years (from Nov. 2008 until just last month). Mike has told Computerworld that the man was, in fact, an employee, but bickered about the title. This man working for your security company with products out on computers all over the world - that's a crisis for Returnil.

Just think...when Kelihos botnet was creating its havoc....its mastermind was working for Returnil(!). Is that not a crisis?

Kelihos, which is sometimes grouped in with the more well-known Waledac botnet, is a fairly small botnet, at an estimated 41,000 machines, but Microsoft officials said that the network was being used for a large variety of activities, including child pornography.​

https://threatpost.com/en_us/blogs/microsoft-takes-down-kelihos-botnet-092711

 

Doesn't seem that awful. It's not like Returnil was sanctioning this, they had no idea what he was doing. He wasn't a high level employee, he was just some worker who was hacking on the side.

Soooo many IT workers have screwed with people. Not like "Create a botnet" or anything but gone through info etc. I believe I even recall a case involving blackmail.

The company released a statement saying they just feel so darn awful and frankly that's as much as it takes. This isn't tylenol - people aren't dying.

What do you want? A product recall on Returnil?

 

I just wanted to say that Coldmoon informed us about some problems and it was not so long before resignation of Sabelnikov. I don't know if mentioned problems was associated with Sabelnikov, but it's possible. Coldmoon as the chief had no obligation to shout on the forums:
"Hey people - I have a problem in the company with a worker!"
That would be stupid. Even more ... he should not to do so ... these are internal matters between him and his staff.
I know it's uncomfortable and awkward situation for Returnil, but I guess we have just wait for new information and don't judge people / companies when we have so little knowledge.
BTW ... did you find somewhere statements if Teknavo or Agnitum ... I don't

 

ot posts removed.

 

Hi All,
Our reply to Computerworld's report was completely accurate and should have left absolutely no doubt as to how we feel about the entire thing. It is repugnant to me personally and to the rest of us here at Returnil that someone, anyone would do something like what Mr. Sabelnikov is accused of having done. (emphasis mine)

Now, to address LockBox's concerns:

Nothing could be further from the truth. We are not sweeping anything under the rug and as you can see, we gave a very forceful response to the Computerworld article as linked to by Searching_ _ _ above. I fail to see how that reply would leave anyone in doubt as to how we view this at any level.

This is a valid critique. To address this, we have created the following FAQ for convenient reference:

The code review began immediately following the publication of the original Arstechnica article and concluded early today Central European time. We apologize for the delay here, but the review needed to be completed before we could say anything substantive on this specific topic.

This entire thing has unfolded very quickly and I felt it was best to initially address this topic where it was being discussed rather than just a statement in the support forums. As Ron broke the news in this forum, I saw no reason to divide the discussion when this thread already existed.

I plan to put up a sticky with the FAQ above and a link to this thread for further reading as soon as I can, but please be patient. This entire episode has been a shock and it was vitally important to complete the code review first which I hope you can understand.

To ichito:

Be assured that no code was compromised and that Sabelnikov had nothing whatsoever to do with the RSS/RVS projects in any way, shape, or manner; including any past, current, or future development. Nor did he have any access or connection to the remote management and product registration systems. His only duties were part of the R&D project mentioned above that dealt with malware research and analysis.

 

http://www.noticeofpleadings.com/im...Microsoft_for_Emergency_TRO_date_stamped_.PDF

The first binaries of Win32/Kelihos that were discovered used the UPX packer to reduce the size of the binary executable. A few days later, the malware switched to a custom packer. We think the new software protection layer was outsourced to someone with deep knowledge of anti-virus engines and with the ability to program a packer straight in assembly language. This skill set seems distant from the one shown by the main developers of Win32/Kelihos.

At the end of February, Win32/Kelihos started using a new propagation mechanism: the LNK parsing vulnerability that was previously exploited by Stuxnet (CVE-2010-256. Later variants added the creation of malicious LNK files on removable drives in an effort to spread to other computers.

The infection ratio of Win32/Kelihos has been very limited compared to large infections like Win32/Conficker and other big malware families. On the other hand, we have been able to see the impact of code modifications on the detection ratio for this malware family. Evolution of the detection statistics collected from ESET’s ThreatSense system from 1 January 2011 until 31 May 2011. This figure shows that the malware propagation increased significantly after the inclusion of the CVE-2010-2568 (LNK) exploit into the malware at the end of February.
http://go.eset.com/us/resources/white-papers/vb2011-bureau.pdf

Microsoft suspects him and it looks like someone with lot of experience had input into the updated version but why did they lie about that it didn't use a security hole. One from 2010 managed to exploit windows with the same one Stuxnet used before that. The exploit was still being effective in 2011!

 

The official statement made by Microsoft's DCU.

 

Thanks Coldmoon.

 

"Microsoft's Kelihos kingpin suspect: It wasn't me" :

http://www.theregister.co.uk/2012/01/30/kelihos_suspect_denial/