Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.
According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.
Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.
As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.
Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “firstname.lastname@example.org.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.
According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.
Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]
But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.
Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.
“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.
After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.
Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.
While Mega-D may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.
A Spamit affiliate using the same “email@example.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.
A copy of the full complaint against Nikolaenko is available here (PDF).
Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.