The Kelihos botnet that sent up to 3.8 billion spam e-mails per day before being taken offline by Microsoft and Kaspersky Lab four months ago was created and controlled by a software developer who formerly worked for an antivirus firm, Microsoft said in a civil lawsuit updated yesterday.

"Defendant Andrey N. Sabelnikov is an individual residing in St. Petersburg, Russian Federation," Microsoft writes in a US District Court complaint against Sabelnikov. "Defendant currently works on a freelance basis for a software development and consulting firm. Prior to his current employment, Defendant worked as a software engineer and project manager at a company that provided firewall, antivirus and security software."

Sabelnikov wrote or helped create the malware used by the Kelihos botnet and he "used the software to control, operate, maintain and grow the Kelihos botnet, by among other things, infecting innocent users’ computers," Microsoft said in the amended complaint (PDF download link). Microsoft notes that Sabelnikov is not the first named defendant in the case, but is the first alleged to have created the software and directly controlled the botnet. Overall, Microsoft has said Kelihos was operated by more than 20 people, but most remain unidentified. The Kelihos botnet controlled 41,000 computers worldwide before being shut down and thousands of computers are still infected by its malware, Microsoft said.

One security firm Sabelnikov formerly worked for was Agnitum, a Russian antivirus vendor in St. Petersburg, the Krebs On Security blog notes, pointing to the defendant's LinkedIn page. "A source close to the investigation told Krebs On Security that Sabelnikov’s alleged role was discovered after a security researcher obtained a copy of the source code to Kelihos," the blog states. "The researcher noticed that the source contained debug code that downloaded a Kelihos malware installer from the domain sabelnikov.net, a photography site registered to Sabelnikov’s name." Sabelnikov was a developer and project manager for Agnitum between 2005 and 2008. The LinkedIn page states he was also lead research engineer for Returnil, another security vendor, between 2008 and 2011.