October 30, 2010

The man arrested in Armenia last week for allegedly operating the massive “Bredolab” botnet — a network of some 30 million hacked Microsoft Windows PCs that were rented out to cyber crooks — appears to have generated much of his clientele as an affiliate of Spamit.com, the global spamming operation whose members are blamed for sending a majority of the world’s pharmaceutical spam.

Armenian authorities arrested 27-year-old Georg Avanesov on suspicion of being the curator of Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers used to direct the botnet’s activities. In tandem with the arrest and the unplugging of those servers, Dutch service providers began redirecting local Internet users to a disinfection and cleanup page if their PCs showed signs of Bredolab infections.

Investigators allege that Avanesov made up to US$139,000 each month renting the botnet to criminals who used it for sending spam and for installing password-stealing malicious software. Avanesov, who is thought to have made millions over a career spanning more than a decade, was arrested after hopping a flight from Moscow to his home in Yerevan, Armenia’s capital.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said Avanesov frequently used the hacker aliases “padonaque” and “Atata,” and for many years used the e-mail address “i.am@padonaque.info.” The domain padonaque.info has long been associated with a variety of malicious software families, and the malware that once called home to it reflects the varied clientele that investigators say Avanesov attracted over the years.

Atata’s ICQ Avatar

According to information obtained by KrebsOnSecurity, that e-mail address and Atata nickname were used to register at least two affiliate accounts at spamit.com. With online pharmacy sales generating him less than $2,000 each month over the last several years, Atata wasn’t pulling in anywhere near as much as the top earners in the program, some of whom earned six figures monthly promoting counterfeit pills via spam. But Takkenberg and others say it is likely that Atata used Spamit as a place to sign up new customers who were interesting in renting his Bredolab botnet to promote their pharmacy sites.

“The main thing he did was build this botnet — mainly using a lot of hacked Web sites,” Takkenberg said. “Then he sold parts of that botnet to other clients of his, who could upload their own malware loaders, FTP [password] grabbers, whatever they wanted.”

For example, one multi-part Bredolab binary released in December 2009 that was poorly detected by most of the major anti-virus firms contained a malicious component bearing his nickname (“atata.exe”), in addition to malicious payload files that employed the nicknames of fellow spamit.com affiliates, including “Birdie” and “Corago”.

Evidence of the connection between Bredolab and Spamit.com members surfaced as Russian investigators announced they had filed criminal charges against Igor Gusev, a man some have long suspected of masterminding Glavmed.com, the world’s largest affiliate program for promoting online pharmacies. As KrebsOnSecurity.com first noted several weeks ago, Spamit.com — which spam experts say was an integral sub-group of Glavmed — closed its doors at the end of September, causing a large but temporary decline in the amount of junk e-mail sent worldwide.

For his part, Gusev has denied any affiliation with spamming, and told The Moscow News and another Russian daily that the man responsible for bringing false charges against him was none other than his arch nemesis Pavel Vrublevsky, the founder of Russian payment processing firm Chronopay and someone I have written about at length on this blog and while at The Washington Post. In a blog purportedly written by Gusev himself, the alleged Glavmed/Spamit chief says he and Vrublevsky used to be business partners when Chronopay was in its infancy.

Asked for comment, Vrublevsky said, “I can not comment on anything Gusev is saying as I think he has to respond to his own accusations first.”


38 thoughts on “Bredolab Mastermind Was Key Spamit.com Affiliate

  1. Martijn Grooten

    Nitpicking, sorry, but I’m pretty sure the guy’s surname is Takkenberg.

  2. JS

    I hope that the statutes used to prosecute will be followed up upon.

    It would be telling if the stronger part of the case was tax evasion, money laundering, etc but _then_ tacking on privacy invasion, computer trespass, theft of computer resources(Energy,CPU time, Disk, Bandwidth), possibly even anti-crypto violations.

    It seems cart & horse if the industry ever wants to gain its reputation back.

    Anyhow
    1) There no honour among thieves
    2) How does the Netherlands leverage Armenia to do any thing? What geopolitical leverage do the Dutch have anymore? — Just sounds like somebody didn’t make tribute / bribes to their local kleptocracy…

    3) LeaseWeb.com seems to be the major participating ISP being reported by EU press
    http://www.thetechherald.com/article.php/201043/6339/Bredolab-smashed-by-Dutch-while-Damballa-report-shames-ISPs

    4) This is the Police re-Direction to infected hosts https://www.waarschuwingsdienst.nl/Risicos/Virussen+en+malware/Ontmanteling+Bredolab.html

    I hate to say if this was redirect was done in US or UK perhaps even Germany it probably would not go over as well.

  3. Alex

    This word “padonaque” very similar to the word “padonak” i.e. distorted word “bastard”. It’s a movement of Russian youth of 90-ies. Descendants of padonak inhabit in udaff.com.

  4. KFritz

    Ukraine. Armenia. If the criminals arrested in these are prosecuted, imprisoned, and subject to forfeiture, the number of safe-haven nations for the malware enterprise is shrinking. This is a good thing!!

    1. Pete

      Don’t forget that some countries jails are less “hilton like” than those in more westerly countries too. 🙂

  5. omfgwallhax

    It should be noted that Bredolab was, as the readers here may call it, a crimeware kit, thus being sold to everyone with enough money (http://forum.antichat.ru/showthread.php?t=73725).
    As you may notice the nickname of the author was “stratum0”. So my point is that the coder of Bredolab/Bmanager is still living free. (Ok to be fair it should be said that he stopped selling it).

    This being said I enjoy reading this blog.

    1. Alex

      Yes, this blog is interesting, but it is a superficial and shallow. However, there are a lot of facts and it’s good for me.

  6. Me

    Brian, you’ve gone pretty soft on Vrublevsky since he threatened you with that lawsuit. What gives?

    As much as you both talk you had to know it was coming, or has he just finally bought you off? Even now other than just brief mention you’ve left him out completely. You and I both know there’s a lot more to this, why the silence?

    1. BrianKrebs Post author

      That’s funny. “You and I both know?” I don’t know who you are at all. How do I know what you know? Last time I checked, no American journalist had written more about or dug further into Mr. Vrublevsky than I. He got the exact right amount of attention in the context of this story. And no, I have never taken anything from him.

      There’s a lot more to this story, to put it mildly. Will I put it all in a single blog post? Of course not. Will I do it on anyone else’s timetable? Nope. Patience, grasshopper.

      If you have information you’d like to share, by all means please drop me a line privately. Otherwise, I suggest you refrain from personal attacks on this blog (particularly against the author).

        1. Alex

          What a violent reaction to the simple and naive question. The unknown is always scary? Maybe just talk?

          1. TheGeezer

            @Alex
            I wouldn’t take the reaction too seriously Alex. Unlike Europe where most people are exposed to multiple languages on radio and television from an early age, most people in the US, until recently, never hear foreign languages except in more cosmopolitan areas. And an even larger number have never had to learn to communicate in a second language.

            Having lived for a time in countries where I had to communicate in a second language I can sympathize with the difficulties of always finding just the right word to get across an idea. In fact a former US president, John Kennedy, even with all the resources at his disposal, made a linguistic gaff in a major speech in Berlin when he said “Ich bin ein Berliner”.

            I think the negative reaction you got may still be due in large part to a previous comment you made where you chose the words “superficial” and “shallow”. I don’t think those words expressed what you intended. And I wouldn’t be surprised if many thought in your last comment that you were being critical of Brian when you asked if he spoke russian, rather than as you say,
            you were simply asking a question.

            And thank you for the insight on the name “padonaque”. I found that very interesting.

          2. Alex

            2TheGeezer

            Yes, i feel that i got not in myself plate, as russians said. Okay, get used to it. Diary of Brian seemed to me superficial, because without knowledge of russian language, and more russian underground slang, it is very difficult to examine in depth a russian theme. It’s not his fault, it’s just the language barrier, the same for everyone.

            Well, about americans, as far as i know, they still think that the first and second world wars the U.S. won.

            That’s right, it was just a question.

            About padonki – it was just a guess. Besides George, he just rented Bredolab, i understand.

            i’m bots coder too, but i had no 30-40 million bots, much less. This is just a small business.
            Glad to help you.

        2. BrianKrebs Post author

          I can get by with reading on the forums. If I need a proper translation of something to publish, I turn to experts. My spoken/audio comprehension is nowhere near as good, but then again I mainly wanted to learn Russian to be able to scan postings and get a basic understanding of what is being said.

          1. Alex

            This is not enough. How could translate your experts such words?
            ========
            щасте, песта, ак, ип, венда, мыскль, лодер, кидалово, развести лоха and so on
            ========
            By the way, не бзди and бздя a very distant concepts, the first word means do not be afraid, and the second – FreeBSD. It’s russian slang, which we are all talking every day.
            Hackers have a special language, ordinary translators will not help. The interpreter must itself be in the theme.
            By the way, sorry for my bad english, he-he.
            Brian, delete the address of my site on this page, pls. Thx.

      1. Actual Nitpicker

        Couldn’t resist. “You and I both know X” does not imply “You and I both know [each other, anything about each other, whether one or both mothers wear(s) army boots].” It states that “I” believes “you” knows… X.

        1. Arubian

          That’s a direct transaltion from Russain. Author is Igor Gusev aka Desp. There were some rumors – they say all previous articles about Pavel Vrublevsky (aka redeye) were inspired by Igor “Desp” Gusev – by his wallet, to be exact 🙂

    2. AlphaCentauri

      Spammers don’t seem to do anything for any reason besides money. They sure don’t seem to comprehend the fact that most other people don’t think that way.

  7. JBV

    @ Alex: Maybe you could post the URL links to Russian language blogs that cover this topic. Some of us know Russian and Russian slang – we’d like to see more in “depth.”

    1. Alex

      2JBV
      мальчега нашол урлы подносить?
      гугли сам.
      эксперт штоле?

  8. Hunchback

    The Dutch law enforcement agencies, in collaboration with GOVCERT and Fox IT, have done good work. No doubt about it. But some of their claims do not stand up to scrutiny. Did Bredolab really infect 30 million machines? Very unlikely. Brian, I understand that you are interested in a different part of this case, i.e., the criminals. But it is also good to be critical of what is being presented as fact.

    See here for a critical appraisal of the claims by Dutch LEA:
    http://blog.internetgovernance.org/blog/_archives/2010/11/1/4669564.html

    1. AlphaCentauri

      I suspect someone came up with a figure for how many computers were infected per month and how many months it went on and did the math. That doesn’t mean they were all infected at the same time. It doesn’t consider how many computers were disinfected, how many people downloaded a trojan that was detected by their AV program before installation, how many people visited the spammed URL to get a copy of the malware to analyze it, how many infections were in honey pot machines in labs, or how many of the infections were the same people getting infected over and over because they didn’t figure out they’d gotten infected with anything the first time they were lured into following a URL.

      1. Michel van Eeten

        AlphaCentauri, you are correct. In fact, my blogpost points out they did indeed “count infections” for one month and then extrapolated that. The question is: how do you count the number infections? The most likely answer is: they counted the number of unique IP addresses connecting to the command and control server. That is a very problematic way to estimate the size of a botnet. In fact, it has been proven to overestimate the size by one order of magnitude — i.e., not 30 million infections, but 3 million. Guess what: the latter figure is very close to the Microsoft data on Bredolab. See the blogpost for more details.

        (Hunchback: thanks for the link!)

        1. Alex

          You guys are all glide across the surface. To understand the logic of hacker need to become a hacker.

        2. TheGeezer

          I think it should also be noted that among the millions of infected computers only a small fraction are useful to the botnet. The infected computer must be available 24/7, fast, and reliable for the botnet to get in, send back the payload and exit undetected.

          During any botnet email campaign, regardless of the number of domains used, the hosts referenced by the fast-flux servers will be limited to several hundred. And of those, there are definitely favorites. Some of the infected sites will be the “active” host on the fast-flux server 20+ times more often than the least referenced site.

          1. AlphaCentauri

            Actually, I got to see one of these in action when one of my kids downloaded something. (She had friends over who convinced her to violate house rules and use Internet Explorer, because Firefox wouldn’t display the funny video they wanted to show her.)

            At the time we had Norton AV but no outgoing firewall. Norton displayed a little envelope icon in the tray each time any email was sent, to signify it was scanning it for malware. The infection was noticed only because once an hour, twelve little envelope icons would appear as email was sent, then the process went back into dormancy. After installing a firewall, we were able to identify the process attempting to send the emails so we could manually disable it. We were never notified that anyone had complained of receiving spam from our IP address.

            For mailing spam, it’s better to have a large number of bots sending a small volume of email each, so no one of them is reported enough times to get blocklisted.

            As far as hosting the spamvertised websites, while it’s better to have a high capacity server, Spamit didn’t always go that route. They have used fast flux botnets in the past that comprised thousands of individual computers. Each computer would only have borne 1/12 of their website traffic, and only for 5 minutes at a time. And they have documented ties to Storm Worm/Waledac, which used a zero-second refresh, so each computer only got traffic for about 1/3 of a second before another shouldered the load. Most of those were definitely small users on dynamic IP ranges. I suspect they only stopped doing it because it was so easy to get their domains shut down by submitting a table of IP addresses and timestamps — the registrars couldn’t dismiss complaints by making the argument that we should complain to the hosting service.

          2. TheGeezer

            I should clarify what I meant by the “hosts referencing the fast-flux servers” in the email campaign. I was referring only to the host referenced in the spam email, the host that contains the fake bank or IRS page, collects the info, credit card number, ssn etc., not the ones sending the spam.

            Early this year, monitoring 52 domains used in a ZeuS-Avalanche campaign, lasting from march 26 thru april 1, there were only 310 active hosts and the most referenced site, on one of the large US cable networks, was the active site 60 times more often than the least referenced site. Current campaigns show a similar pattern. It could actually be a good marketing campaign for the cable company! When criminal botnets need speed and reliability they choose xxx cable!

  9. conner

    There’s nothing worse than a PARASITE. Steal steal steal is
    all you leeches are competent at.
    Brian, you should just totally ignore these worms. We know
    and support that approach. Life is too short to have to give
    these smegma-breaths any of your precious time. Sincerely,
    RainbowRoof

  10. Gary

    Per the blog you ref’d the author reports that he offered to bury the hatchet on Monday and on Tuesday he and Vrublevsky talked for about an hour and a half and are moving toward that, albeit slowly

  11. TheGeezer

    Any idea when the Netherlands’ High Tech Crime Unit is going to address the botnets/fake web sites registered with ccTLD “tk” (managed by dot.tk in Netherlands) ?

    Not a day goes by without some scam using the ccTLD “tk”. In the last 8 hours there were at least 6 confirmed reports of tk domains faking the Habbo website (a social networking website aimed at teenagers).

    In addition, tk registered domains were used twice this month to provide an extra level of obfuscation for the ZeuS/SpyEye botnet. The tk domains used a fast-flux server to reference the NauNet registered domains for the ZeuS/SpyEye botnet fast=flux servers.

    BTW, the dot.tk abuse address never responds.

  12. MarshalBananas

    and please, send all the “russian slang” you’d like my way. i enjoy collecting it.

Comments are closed.