Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Yesterday I wrote about the public storefront where anyone can rent access to computers infected with TDSS, widely considered one of the largest and most complex botnets on the planet. Today, I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation.
Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — awmproxy.net — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including awmproxy.com (a clone of awmproxy.net), according to a lookup at ReverseInternet.com.
Using domaintools.com, I was able to find the historical Web site registration records for awmproxy.com (the historical data for awmproxy.net is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address fizot@mail.ru. Another Web site with that same Google Analytics code, pornxplayer.com (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008.
WHOIS records also indicate fizot@mail.ru was used to register fizot.com, a site which is no longer active. The name given by the person who registered fizot.com was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for fizot.org, but fizot.org lists a different contact email address: xtexgroup@gmail.com.
Googling for the fizot@mail.ru address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of xtexcounter@bk.ru. Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars.
In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a Youtube.com channel belonging to a user named Fizot who designates the domain name fizot.com as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club.
Fizot's plates
Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.
Update, 2:36 p.m. ET: Getting some additional info from helpful readers. That same Google Analytics code is present on the site domenadom.ru, which appears to be a domain name registrar. Also, that same xtexcounter@bk.ru address provided by Fizot at his LiveJournal blog was the email used to register xvpn.ru, a VPN service that advertises “full anonymity on the Net.”
Update, 4:54 p.m. ET: It appears that Fizot has deleted nearly all of the posts on his LiveJournal account. I sort of expected he might do that. Here are cached versions of his home page and contact page at LiveJournal. He has also removed all of his Youtube videos, but I made copies of them before I put this story up. Here’s a link to the video that is screenshotted above. In the meantime, Fizot has only one blog entry now at his LiveJournal page, in which he claims to have sold the AWMproxy service long ago. But to whom? Fizot writes:
“I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”
If you liked this story, please consider reading Rent-a-Bot Networks Tied to TDSS Botnet.
Related posts:
- Rent-a-Bot Networks Tied to TDSS Botnet
- Rustock Botnet Suspect Sought Job at Google
- ZeuS Busts Bring Botnet Beatdown?
- Microsoft Ambushes Waledac Botnet, Shutters Whistleblower Site
- Rustock Botnet Flatlined, Spam Volumes Plummet
Tags: Fizot, H666XK, livejournal, N666HK, tdss, xtexcounter@bk.ru, xtexgroup@gmail.com
Fantastic research, Brian!!!
Thanks, Fil0s0v!
So, it’s pretty unlikely that Mr. Fizot sold this service like he claims. If one happens to buy a proxy from AWMproxy.com, one would get a nice follow-up email from Mr. Fizot himself.
This was sent in response to a purchase made at AWMproxy yesterday:
Dear,
Thank you for your recent purchase using the Plimus.com Online Store.
Plimus is under contract with AwmProxy to process orders and collect payments.
If you have any content-related or technical questions about the
product, only the manufacturer can provide proper support, please
contact
Name: AwmProxy
Email: xtexcounter@bk.ru
If you contact the seller, please be patient and allow them 2 business
days to respond.
If after two business days the issue remains unresolved, Plimus will
be happy to assist you directly. To make a customer service inquiry
regarding this purchase please visit:
http://www.plimus.com/jsp/escalate_issue.jsp?ref=
We have received your order and your credit card charge has been authorized.
Use the link below to request product support, see your order
information online, retrieve your receipt, obtain an official invoice,
request refund or to have your product/registration keys resent (if
applicable), do not reply to this email as your reply will go unread:
https://shoppers.plimus.com/jsp/order_locator_info.jsp?refId=
We appreciate your business and look forward to serving you again in
the future. Please find the receipt for your order at the end of this
message.
Best regards,
The Plimus Team on behalf of
AwmProxy
xtexcounter@bk.ru
IMPORTANT: This charge will appear on your credit card statement as
“PLI*AWM TEAM”
—————————————————————————-
Payment Details:
Account Number:
Order Date:
Product Qty Unit Price Ext. Price $
$
—————————————————————————-
Awm Proxy
—————————————————————————-
Total: $
Thank You,
The Plimus Team on behalf of
AwmProxy
xtexcounter@bk.ru
So this is how they accept MC and Visa…
Here’s a list of people who among others are profiting from monetizing the TDSS botnet: http://home.plimus.com/ecommerce/company/management-team
I just sent Plimus an email asking them to severe their ties with awmproxy and to stop being an accessory to a major online crime. I urge everyone to do the same.
Seriously, good work. I would be interested whether those people actually planned these things for a long time or whether they just came into making malware by small steps. I mean if i was going to write some malware I would do it completely anonymously using TOR and I would never used such identity for anything else.
For reference: Galdziev Chingiz is most likely the transliteration of Чингиз Гальджиев (transliteration leaves some room for interpretation but this is a last name that actually exists). Google even lists some hits for a person with that name but those seem unrelated (this person doesn’t live in Saint Petersburg).
I did the same search on Чингиз Гальджиев, but found no related references.
There are two entries on Гальджиев Чингиз Михайлович who seems to be living in Elista (Элиста). It’s definitely not a very common last name.
Brian, the whois data is most likely fake. I’ve seen two places now where fizot calls himself Олег (Oleg). While the address given definitely exists, “Lenin street” is the “default address” for any post-Soviet city. As to the postal code, St. Petersburg’s postal codes start with “19″, never with “15″. Finally, I checked two databases for St. Petersburg and they don’t have anybody with the last name Гальджиев (pretty much everybody with this last name lives in Kalmykia, not in central Russia).
I never believed for a second that the names in the WHOIS data would be useful for anything other than seeing when the same name is used on more than one registration. In this case, the name was unusual enough that I thought it was worth a mention. As you can see, my WHOIS research was based instead on email addresses.
Yes, that name is very much non-random which is why I bothered looking into it. It is rather strange that he chose a name for fake whois data that really exists but is very rare and concentrated in a region quite different from where he lives. I guess that he used the name of somebody he knew, there is no way he could simply invent it.
http://www.forumnalog.ru/forums/fiz/user/2807/ links xtexcounter@bk.ru to Volgograd, Russia.
PS: The phone number looks valid – the mobile operator is Beeline St. Petersburg, makes sense. However, it supposedly belongs to a number range that wasn’t assigned before December 5th, 2007 (according to http://bazanomerov.ru/). The domain has been created in September 2007 however. But maybe the phone number has been added later, I don’t know.
A couple of interesting facts on LJ user “fizot”:
1. http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fradulova.livejournal.com%2F1915325.html%3Fthread%3D167104445
Fizot started making money at the tender age of 6 by selling opposition newspapers.
2. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fsasha-meteor.livejournal.com%2F216355.html%3Fthread%3D3823395%23t3823395
Fizot boasts of going from earning just RUR15k/month ($500) and having no sex at all 3 years ago to earning orders of magnitude more, driving a Porsche and having Miss Asia 2008 (http://www.google.com/search?q=Eunis+Yao&tbm=isch) as his primary girlfriend. He attributes his success to attending “pickup training seminars”.
)))
3. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fcommunity.livejournal.com%2Fbig_money%2F852525.html
Fizot is looking to start or purchase a car rental business.
4. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fcommunity.livejournal.com%2Fblog_medvedev%2F32664.html%3Fthread%3D14815128
Fizot was really approving of his president, mr. Medvedev in October 2009
5. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fspb-09.livejournal.com%2F6548485.html
http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fspb-09.livejournal.com%2F6507702.html
Fizot was looking for help obtaining US and Canadian visitor’s visas in 2009. (traveling to USA is a very bad idea for mr Fizot in my opinion
6. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fschaman.livejournal.com%2F89968.html%3Fthread%3D1294192%23t1294192
A short list of what mr. Fizot likes in women
Entertaining Aleksey!
Thanks for those tidbits! Even if they are fictitious!
Looks like mr. Fizot is not very happy about sudden burst of publicity, he deleted his Livejournal blog already
http://fizot.livejournal.com/ still works just fine here…
Ah.. they were disappearing one-by-one. All gone now. Heh
Just wanna say… Hi Fizot! We’re watchin’ ya!
Yes, the only blog entry left is this one, where he claims he doesn’t run the awmproxy service anymore, that he sold it.
“I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”
So, reasonable question is, to whom did he sell it?
Querying for IP 178.162.188.28 on a passive DNS database, these are the records historically pointing there (some are or may be outdated, though):
dnevnik.cc. IN A 178.162.188.28
xvpn.ru. IN A 178.162.188.28
xsave.ru. IN A 178.162.188.28
anyget.ru. IN A 178.162.188.28
ns1.vobhod.ru. IN A 178.162.188.28
ns2.vobhod.ru. IN A 178.162.188.28
ns1.nezaiti.ru. IN A 178.162.188.28
nezayti.ru. IN A 178.162.188.28
ns0.nezayti.ru. IN A 178.162.188.28
ns1.nezayti.ru. IN A 178.162.188.28
ns2.nezayti.ru. IN A 178.162.188.28
mail.nezayti.ru. IN A 178.162.188.28
friend.nezayti.ru. IN A 178.162.188.28
ns1.awmproxy.ru. IN A 178.162.188.28
ns2.awmproxy.ru. IN A 178.162.188.28
proproxy.ru. IN A 178.162.188.28
hitmovies.ru. IN A 178.162.188.28
appfriends.ru. IN A 178.162.188.28
naraboteya.ru. IN A 178.162.188.28
http://www.naraboteya.ru. IN A 178.162.188.28
server-12.ruporno.tv. IN A 178.162.188.28
awmproxy.com. IN A 178.162.188.28
en.awmproxy.com. IN A 178.162.188.28
ns1.awmproxy.com. IN A 178.162.188.28
ns2.awmproxy.com. IN A 178.162.188.28
seo.awmproxy.com. IN A 178.162.188.28
http://www.awmproxy.com. IN A 178.162.188.28
zzyoutube.com. IN A 178.162.188.28
pornxplayer.com. IN A 178.162.188.28
http://www.pornxplayer.com. IN A 178.162.188.28
awmproxy.net. IN A 178.162.188.28
checkerproxy.net. IN A 178.162.188.28
The YouTube videos have been deleted too! Maybe he realized that even a Volkswagen can do donuts on wet pavement.
Hahaha, good one. That did actually make me chuckle out loud :p
Hidden due to low comment rating. Click here to see.
Aleksey, you actually should have skipped this. The story doesn’t make sense in a bunch of places, I am pretty certain that it is pure fiction (just like his “primary girlfriend”).
Agreed, now I realize this comment was in bad taste. It may or may not be truth, but it has little relevance.
If Fizot had been a regular reader of your column, he might have learned from the mistake Chronopay made that allowed you to tie them to a fake AV scam via the Google analytics code, too:
http://voices.washingtonpost.com/securityfix/2009/07/following_the_money_trail_of_r.html
Brain,
fizot isn’t Galdziev Chingiz. His real name Oleg Krugov.
http://www.russia.ru/fizot/
phone:
http://hghltd.yandex.net/yandbtm?fmode=inject&url=http%3A%2F%2Fcommunity.livejournal.com%2Fspb_hata%2F2901533.html&text=fizot%20oleg&l10n=ru&mime=html&sign=3b5b2761d57531e06747efc55310704f&keyno=0
also try to use yandex for “xtexcounter”
Interesting. If you search for “fizotic” you can see references to the xtexcounter@bk.ru address all over the place.
Check this out:
http://www.mamba.ru/fizotik/
It says in August, Oleg was 30, which matches the date on that russia.ru site profile.
did you see info about stolen xtexcounter@ya.ru account ? nice pw, yeah ?
Both russia.ru and mamba profiles are deleted now. Did anyone make screenshots?
Yes. His Mamba profile is here. It includes a picture.
http://krebsonsecurity.com/wp-content/uploads/2011/09/Mamba-Олег-26-Россия-Санкт-Петербург-www_mamba_ru_fizotik.png
The photo matches the likeness of the driver of 911 in the YouTube clip (I wish I saved that one)
According to Oleg’s LJ posts he was born in 1987, he age-referenced himself a couple of times. For example in http://blogs.yandex.ru/cachedcopy.xml?f=37f9f2a409ef0c994e8dba70cbe99f3e&i=10&m=http%3A%2F%2Ffizot.livejournal.com%2F3616.html which is dated 01/30/2007 he says he just turned 20.
Now the whole YouTube account has been closed.
I saved a copy of the video. You can see it here: http://www.youtube.com/watch?v=xxM83pc21s4
A very good collection of card reader scam videos there also Brian. Thanks for the link!
http://www.ableo.ru/vkontaktego.ru
Алексей Алексеев ?
http://vkontakte.ru/showbiznes
mamba: http://data.imagup.com/12/1130108444.png
vkontakte.ru: http://data.imagup.com/12/1130108478.png
Can you claim some of Microsoft’s rewards?
http://news.slashdot.org/story/11/07/18/1752258/Microsoft-Offers-250000-Reward-For-Botnet-Info
Whoever can track down Dmitri Sergeev AKA Cosma2k and drag him into US jurisdiction somehow or help have him extradited can claim this reward. This thread is about TDSS, a botnet different from Rustock.
Dude, it’s not a Porsche. More like an early 90′s Celica with a Porsche license plate frame.
Ah.. good eye! According to a Google Image search (take note, thumb downer) it’s definitely a ~1993 – 1999 Celica with the nose badge removed. Strangely, I’m seeing two different designs for ’93s, but the ’94s – ’99s are definitely that design. I initially thought maybe the 98 on the right of the plate might be the year, but that’s apparently the city number after a little bit of Russian plate research.
Definitely “98″ means “Leningradskaya Oblast’” in this context, not year 1998
Looks like you may be right. I’ve amended the above story with a strikethru through the Porsche comment.
A filthy, stupid criminal with a penchant for public bragging all over the web – not a happy combination for him, I’m afraid (not!).
Thank you, Brian once again you (and some noted commentators in your column) made my day. Just to see how this scum is scrambling to delete ramblings he unwisely left around reminds me of rats or cockroaches running when exposed from under a overturned rock. Priceless !!!
Disclaimer:
I have a personal grudge about those.
My children computer had been recently infected with TDSS-4. Fortunately it was easy to remove since the the computer was tweaked with read-only Registry and C: drive, it only encroached into MBR – using Kaspersky Live CD. I read on the Internet other had more trouble removing it from both locations.
In Russia, authorities offer license plates with certain numbers. They
are meant for official use only, and signal to traffic police that the
person in the car is on sensitive, official business and should not be
stopped. Unfortunately, with corruption these plates can be bought to
avoid traffic rules. One can also buy the blue flashing lights called migalki which allow one to cut through traffic. (more in English here -
http://globalvoicesonline.org/2010/03/01/russia-bloggers-vs-patricians-on-the-road/). I do not know the exact code by which all are allocated, but signs that the plates are “special” often include double letters, like CC, and/or triple numbers, such as 666. I do not know how Fizot got his plate number, ut he may well have bribed security officials. Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.
Belka, you touch on a complex subject. In general, Russian license plates format is xNNNxx YY(Y) where “x” are letters that are shared between Cyrillic and Latin character sets. NNN is a three digit number and YY(Y) is a region code. The region code simply specifies which geographic location the car is registered at. The key to reading the number is the alphabetical part. There are certain combinations that are assigned to various law enforcement agencies and other combinations that are simply cool to have. I used to live in Moscow in the 90s, and back then one of the coolest combinations was “ooo” (like “0666oo77″). Now the most prestigious one (from what I heard) is “AMP”. Back in the 2000s the combination “EKX” was pretty cool. Obviously these license plates are a thriving corruption market and one can pay a good price for a cool license plate. The numbers are also for sale, and in my estimation getting “666″ number would cost someone between RUR 5k-10k ($170-$340) today.
I was offered 666 for free when registered my car in Moscow. Apparently nobody wants this number, and officials are kind enouht to not to issue this number forcibly. Other xxx numbers would cost about 5-10 times more than you think. People from Caucasus are especially fond of such plates.
You’re right, xxx numbers are just fancy toys. The Real Numbers are AMP, EKX, ХКХ, САС, ССС and a few other.
“Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.”
Criminals don’t exist in isolation, so it’s not as simple as saying they are issuing special plates to criminals. Who are his parents and siblings? Maybe he’s a family member of a VIP.
If the FSB is so busy “milking” people accused of crimes, one can only imagine how amoral the children of their agents turn out.
I don’t think Oleg “Fizot” Krugov has anyone important among his relatives. He’s a lowlife, a nobody who came into certain money by engaging in online crime. His obsession with expensive cars, high-profile girls, money and other symbols of wealth is a good indicator of a low status and misery. Fizot is a typical loser.
If distributing malware were a capital offense, that dude would get the Darwin award
The possible/potential repercussions from this ‘outing’ will be interesting to watch. The powers that be in Russia and the other cybercrooks who are quietly harvesting millions in theft earnings won’t be happy about this attention a ‘tall. To his ‘credit,’ this gangster had the sense to hit the delete button instead of reveling in the attention, a la Vrublevsky. He’ll still be lucky to escape with a stern ‘talking to.’ And word will probably spread that online braggadocio attracts attention and is bad for business.
Stay tuned.
I think this is great! I can’t believe people leave such ways to link them to things all over the net… I’d think if you know you’re doing something even remotely questionable you’d be more cautious about it. I also think that all the deleting of things that he has been doing points more towards his guilt than him being innocent.
After a google search of : fizot@mail.ru , I’ve found something interesting on this website : http://www.stopforumspam.com/ipcheck/46.183.162.106
———————————————-
it points like on 9th september user fizot was accesed from this ip:
9-Sep-11 15:51 46.183.162.106 fizotik_fizot fizot@mail.ru Russian Federation Evidence
9-Sep-11 15:42 46.183.162.106 fizotik_fizot fizot@mail.ru
————————————————-
After doing a whois research on this IP i’ve found these details:
IP address: 46.183.162.106
IP country: Russian Federation
IP Address state:
IP Address city:
IP latitude: 60.0000
IP longitude: 100.0000
ISP: CJSC Caravan-Telecom
Organization: PH1340-COUNTER
I assume he was using a local proxy accesing that account lately tunneling on metropolitan to have a good internet speed average.
Regards, Iustin.
Actually, stopforumspam.com has a number of entries for this email address, all from September 8th and 9th. Most IP addresses are from the same Caravan Telecom range, that company provides internet access to businesses in Moscow. Other IP addresses seem to belong to proxies (botnet participants?) around the world.
I had a look at the “evidence”. Here it is:
username: fizot
User Email: fizot@2mail.ru
User ICQ:173358888
User AIM: fizot@mail.ru
User MSN: fizot@mail.ru
User Yahoo: cikifriki
Website:
Location: Romania
Occupation: Banking, mortgage
Interests: Religion, spiritual
User Signature: xtexcounter@bk.ru
I guess that he is spamming forums with his data to make searching for his email addresses harder. Interestingly, if you search for that Yahoo nick you will find tons of forum spam (the forum profiles I looked at were created in July).
Yes, he is definitely removing real data and spamming fakes instead. Fortunately, the fakes are pretty easy to filter out.
Brian, he is apparently one of the administrators here: http://ccg.nastolki.ru/userinfo.php?uid=1. Google cache of this page still shows his email address and http://172.16.1.14/nastolki/ as his web site. Last visit in Google cache is 27/03/2011 13:34, then he logged in two days ago and removed the data.
fizot seems to have started as a PHP developer. His learning experience:
http://forum.codenet.ru/members/5765-olegking
http://forum.vingrad.ru/forum/topic-20016/anchor-entry136162/0.html
http://phpclub.ru/talk/threads/.20491/
And here he is advertising his services:
http://xoops2.ru/modules/newbb/viewtopic.php?post_id=16253#forumpost16253
http://forum.searchengines.ru/showthread.php?t=143208
http://forum.searchengines.ru/showthread.php?t=189219
http://phpclub.ru/talk/threads/php–1200.46207/
Note his ICQ number, that’s how I found the phpclub.ru post (which has been deleted two days ago but is still visible in Google cache – he didn’t bother deleting everything else he posted under the name “melkiy” however). So he previously owned phpnow.ru and php-job.org domains (the former is confirmed by http://www.1stat.ru/?domain=phpnow.ru).
Here is looking for a C programmer: http://www.jobinpiter.com/vacancy/30712/ (same ICQ number). Note that he gives the name Oleg but email address is avzibrov@yandex.ru (Александр Зибров). Here is his profile: http://azibrov.moikrug.ru/, apparently he works for svyaznoy.ru in Moscow.
Here is a forum topic about awmproxy: http://www.umaxforum.com/showthread.php?t=26364. Another forum participant claims that fizot is simply reselling proxy lists he bought from him (deleted again, use Google cache). That forum participant also lists the various nicks used by fizot.
Came late to the show….missed the beer and popcorn but the film is still the best of the best! I love how these fugtards blow themselves out of the water, have seen it myself many times before but in Romania with hi5! Brian I bet he is extremely media-whorish go visit him with Charles:-)
what a delight to see this happen in real time and thanks to AKL and Aleksey and all the other pokers: this was a good movie!!
Do we know who is utilizing the awmproxy service or what, exactly, it is being used for? I imagine anyone with an inclination to perform illicit activity is simply going to use Tor, their own list of hijacked systems, public proxies, etc. I guess I’m interested in who would actually pay, a fairly substantial amount of money, to utilize this service?
The majority of hacked machines belonging to this botnet will be utilizing residential ISP’s and the IP addresses will mostly be undetected as proxy/anonymity networks. Therefore renting access to tens of thousands of residential undetected IP addresses would be a fraudsters wet dream due to the ability to trick anti-fraud systems into thinking the order is coming from a legitimate internet connection. For example if you are a carder from Russia, a website will unlikely accept an order from a Russian IP address with a USA credit-card, and unlikely to accept an order coming from an anonymity network, but would likely accept the order if it was coming from a legitimate looking residential US IP address.