07
Sep 11

Who’s Behind the TDSS Botnet?

facebooktwittergoogle_plusredditpinterestlinkedinmail

Yesterday I wrote about the public storefront where anyone can rent access to computers infected with TDSS, widely considered one of the largest and most complex botnets on the planet. Today, I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation.

Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — awmproxy.net — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including awmproxy.com (a clone of awmproxy.net), according to a lookup at ReverseInternet.com.

Using domaintools.com, I was able to find the historical Web site registration records for awmproxy.com (the historical data for awmproxy.net is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address fizot@mail.ru. Another Web site with that same Google Analytics code, pornxplayer.com (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008.

WHOIS records also indicate fizot@mail.ru was used to register fizot.com, a site which is no longer active. The name given by the person who registered fizot.com was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for fizot.org, but fizot.org lists a different contact email address: xtexgroup@gmail.com.

Googling for the fizot@mail.ru address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of xtexcounter@bk.ru. Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars.

In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a Youtube.com channel belonging to a user named Fizot who designates the domain name fizot.com as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club.

Fizot’s plates

Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.

Update, 2:36 p.m. ET: Getting some additional info from helpful readers. That same Google Analytics code is present on the site domenadom.ru, which appears to be a domain name registrar. Also, that same xtexcounter@bk.ru address provided by Fizot at his LiveJournal blog was the email used to register xvpn.ru, a VPN service that advertises “full anonymity on the Net.”

Update, 4:54 p.m. ET: It appears that Fizot has deleted nearly all of the posts on his LiveJournal account. I sort of expected he might do that. Here are cached versions of his home page and contact page at LiveJournal. He has also removed all of his Youtube videos, but I made copies of them before I put this story up. Here’s a link to the video that is screenshotted above. In the meantime, Fizot has only one blog entry now at his LiveJournal page, in which he claims to have sold the AWMproxy service long ago. But to whom? Fizot writes:

“I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”

If you liked this story, please consider reading Rent-a-Bot Networks Tied to TDSS Botnet.

Tags: , , , , , ,

60 comments

  1. Fantastic research, Brian!!!

    • Thanks, Fil0s0v!

      So, it’s pretty unlikely that Mr. Fizot sold this service like he claims. If one happens to buy a proxy from AWMproxy.com, one would get a nice follow-up email from Mr. Fizot himself.

      This was sent in response to a purchase made at AWMproxy yesterday:

      Dear ,

      Thank you for your recent purchase using the Plimus.com Online Store.

      Plimus is under contract with AwmProxy to process orders and collect payments.

      If you have any content-related or technical questions about the
      product, only the manufacturer can provide proper support, please
      contact
      Name: AwmProxy
      Email: xtexcounter@bk.ru

      If you contact the seller, please be patient and allow them 2 business
      days to respond.

      If after two business days the issue remains unresolved, Plimus will
      be happy to assist you directly. To make a customer service inquiry
      regarding this purchase please visit:
      http://www.plimus.com/jsp/escalate_issue.jsp?ref=

      We have received your order and your credit card charge has been authorized.

      Use the link below to request product support, see your order
      information online, retrieve your receipt, obtain an official invoice,
      request refund or to have your product/registration keys resent (if
      applicable), do not reply to this email as your reply will go unread:
      https://shoppers.plimus.com/jsp/order_locator_info.jsp?refId=

      We appreciate your business and look forward to serving you again in
      the future. Please find the receipt for your order at the end of this
      message.

      Best regards,

      The Plimus Team on behalf of
      AwmProxy
      xtexcounter@bk.ru

      IMPORTANT: This charge will appear on your credit card statement as
      “PLI*AWM TEAM”

      —————————————————————————-
      Payment Details:

      Order Reference Number:
      Account Number:

      Order Date:

      Product Qty Unit Price Ext. Price
      —————————————————————————-
      Awm Proxy $
      $
      —————————————————————————-
      Total: $

      Thank You,

      The Plimus Team on behalf of
      AwmProxy
      xtexcounter@bk.ru

  2. Seriously, good work. I would be interested whether those people actually planned these things for a long time or whether they just came into making malware by small steps. I mean if i was going to write some malware I would do it completely anonymously using TOR and I would never used such identity for anything else.

  3. For reference: Galdziev Chingiz is most likely the transliteration of Чингиз Гальджиев (transliteration leaves some room for interpretation but this is a last name that actually exists). Google even lists some hits for a person with that name but those seem unrelated (this person doesn’t live in Saint Petersburg).

    • I did the same search on Чингиз Гальджиев, but found no related references.

      • There are two entries on Гальджиев Чингиз Михайлович who seems to be living in Elista (Элиста). It’s definitely not a very common last name.

    • Brian, the whois data is most likely fake. I’ve seen two places now where fizot calls himself Олег (Oleg). While the address given definitely exists, “Lenin street” is the “default address” for any post-Soviet city. As to the postal code, St. Petersburg’s postal codes start with “19″, never with “15″. Finally, I checked two databases for St. Petersburg and they don’t have anybody with the last name Гальджиев (pretty much everybody with this last name lives in Kalmykia, not in central Russia).

      • I never believed for a second that the names in the WHOIS data would be useful for anything other than seeing when the same name is used on more than one registration. In this case, the name was unusual enough that I thought it was worth a mention. As you can see, my WHOIS research was based instead on email addresses.

      • PS: The phone number looks valid – the mobile operator is Beeline St. Petersburg, makes sense. However, it supposedly belongs to a number range that wasn’t assigned before December 5th, 2007 (according to http://bazanomerov.ru/). The domain has been created in September 2007 however. But maybe the phone number has been added later, I don’t know.

  4. A couple of interesting facts on LJ user “fizot”:

    1. http://translate.google.com/translate?sl=ru&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fradulova.livejournal.com%2F1915325.html%3Fthread%3D167104445

    Fizot started making money at the tender age of 6 by selling opposition newspapers.

    2. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fsasha-meteor.livejournal.com%2F216355.html%3Fthread%3D3823395%23t3823395

    Fizot boasts of going from earning just RUR15k/month ($500) and having no sex at all 3 years ago to earning orders of magnitude more, driving a Porsche and having Miss Asia 2008 (http://www.google.com/search?q=Eunis+Yao&tbm=isch) as his primary girlfriend. He attributes his success to attending “pickup training seminars”. :))))

    3. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fcommunity.livejournal.com%2Fbig_money%2F852525.html

    Fizot is looking to start or purchase a car rental business.

    4. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fcommunity.livejournal.com%2Fblog_medvedev%2F32664.html%3Fthread%3D14815128

    Fizot was really approving of his president, mr. Medvedev in October 2009

    5. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fspb-09.livejournal.com%2F6548485.html

    http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fspb-09.livejournal.com%2F6507702.html

    Fizot was looking for help obtaining US and Canadian visitor’s visas in 2009. (traveling to USA is a very bad idea for mr Fizot in my opinion :)

    6. http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fschaman.livejournal.com%2F89968.html%3Fthread%3D1294192%23t1294192

    A short list of what mr. Fizot likes in women :)

    • Entertaining Aleksey!

      Thanks for those tidbits! Even if they are fictitious!

      • Looks like mr. Fizot is not very happy about sudden burst of publicity, he deleted his Livejournal blog already :)

        • http://fizot.livejournal.com/ still works just fine here…

          • Ah.. they were disappearing one-by-one. All gone now. Heh

            Just wanna say… Hi Fizot! We’re watchin’ ya! ;-)

        • Yes, the only blog entry left is this one, where he claims he doesn’t run the awmproxy service anymore, that he sold it.

          “I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”

          So, reasonable question is, to whom did he sell it?

          • Querying for IP 178.162.188.28 on a passive DNS database, these are the records historically pointing there (some are or may be outdated, though):

            dnevnik.cc. IN A 178.162.188.28
            xvpn.ru. IN A 178.162.188.28
            xsave.ru. IN A 178.162.188.28
            anyget.ru. IN A 178.162.188.28
            ns1.vobhod.ru. IN A 178.162.188.28
            ns2.vobhod.ru. IN A 178.162.188.28
            ns1.nezaiti.ru. IN A 178.162.188.28
            nezayti.ru. IN A 178.162.188.28
            ns0.nezayti.ru. IN A 178.162.188.28
            ns1.nezayti.ru. IN A 178.162.188.28
            ns2.nezayti.ru. IN A 178.162.188.28
            mail.nezayti.ru. IN A 178.162.188.28
            friend.nezayti.ru. IN A 178.162.188.28
            ns1.awmproxy.ru. IN A 178.162.188.28
            ns2.awmproxy.ru. IN A 178.162.188.28
            proproxy.ru. IN A 178.162.188.28
            hitmovies.ru. IN A 178.162.188.28
            appfriends.ru. IN A 178.162.188.28
            naraboteya.ru. IN A 178.162.188.28
            http://www.naraboteya.ru. IN A 178.162.188.28
            server-12.ruporno.tv. IN A 178.162.188.28
            awmproxy.com. IN A 178.162.188.28
            en.awmproxy.com. IN A 178.162.188.28
            ns1.awmproxy.com. IN A 178.162.188.28
            ns2.awmproxy.com. IN A 178.162.188.28
            seo.awmproxy.com. IN A 178.162.188.28
            http://www.awmproxy.com. IN A 178.162.188.28
            zzyoutube.com. IN A 178.162.188.28
            pornxplayer.com. IN A 178.162.188.28
            http://www.pornxplayer.com. IN A 178.162.188.28
            awmproxy.net. IN A 178.162.188.28
            checkerproxy.net. IN A 178.162.188.28

        • The YouTube videos have been deleted too! Maybe he realized that even a Volkswagen can do donuts on wet pavement.

    • …and I can’t skip THIS :)))
      mr. Fizot accidentally slept with 14yr old girl when he was only 19 (a criminal offense in Russia). Since Oleg has deleted his Livejournal, here’s the cached copy of his post: http://blogs.yandex.ru/cachedcopy.xml?f=37f9f2a409ef0c994e8dba70cbe99f3e

      Translation courtesy of Google Translate:

      First Field Report
      Ringing handset, display, Adrian: “Oleg, let’s urgent to me, I’m waiting.”
      I went to him, he excitedly running around the room and begins to persuade me to go with him to the Metro Club, and I have not much desire to go there, and I break down. After 20 minutes of persuasion, we are going to iron my shirt, put her hair, etc.
      We go to the Metro Club and along the way, he tells me an interesting story: “There are girls who throw guys like this: He looked about 17-18, but in real life about 14 and they fall under a guy having sex. After a brave guys go, take out her passport, which clearly says that she is 14 years old and you put off any loot, or how mentovku pedophile. ” I grin to myself quietly and do not attach any importance, because long do not believe in girls, who at 14 looks 18. ”
      Up to 23 hours we did not have time to visit a pack of LM, and had to pay 240 p. entrance fee. Before we pay two girls, or rather a girl and a crocodile-girlfriend. I silently note the girl and move on. About an hour once we were in tusim Metro Club, then I do approach the girl, looking for some conversation, “nothing” for 10 minutes, starting unobtrusive film, cobweb. Then offer to move to another place where “good music, cool drinks and hookah” (can not remember who was stolen) and they agree. I called Adrian, and for some reason he looked at the crocodile, such as at length refused to go with us. I had to go alone. By the way, that’s when I realized that the girls feel when they go to someone and why are they so afraid of a date on the first smoke hookah at my house.
      Decide who to go and I did not long resist, I went to see him. In the dorm room to have few prospects: first, it was already over an hour and dormitory was closed, yet the fact that they start up, and I did not know what to do with the crocodile (gangbang does not roll).
      As emerged from the club immediately began her kinestetit already stepping over the scope of the SDP.
      She gave 250 rubles. taxi driver because he drove us to the subway to Nevsky Club (actually worth no more than one hundred square meters), at first I wanted to pay, but he had no change from 1000. In the taxi, I learned that they were 16 years old, and I am genuinely surprised because it looked at least 17-18, and that they are not from St. Petersburg and came to rest here for a week.
      I was amazed when I saw that they live right on the Nevsky Prospect and flat with telecom in every room, with plush trahadronami, but on Nevsky other does not happen, I guess.
      She took the wine and play music, after which I began it hard kinestetit, completely ignoring the presence of a crocodile. The girl willingly responded to the kiss, gave full access to the bottom, and let the breast is not happy. When I started to undress her slowly, she began to break, like her boyfriend in the army and she promised to wait for him.
      Another 15-20 minutes kinesthetics and we went into the room.
      The girl’s great, very experienced and is the youngest of them all.
      After the bed she went into the bathroom to bathe, and I sat on the sill and breathed air. 15 minutes it goes sharp and business-like tone says: “Oleg, let’s go have a conversation.”
      I did a lot of his childhood in what should not, and often heard similar phrases and similar tone, usually meant that I was “fucking.” But in that tone I heard that I was “full of fucking”
      We went into the room, and she began to rummage through things, looking for something, finally got a passport and gave me. So fast I did not once deducted from 2006-1992, it appears that she is 14 years old! I was shocked and fell just a few minutes, thinking that now will pay in the form of uncles, who I quickly explain that you have to pay for pleasure or to sit for corruption of minors (pedophilia) for 135 article.
      I was paralyzed for 2 minutes, and I was a moron like listening to the beating of my heart. I already figured that once the case was removed for not quite a cheap apartment, so I did not divorce for 5 cents. Has become a figure out that I was on the second floor and knocking out the glass can jump out the window, but you have to grab a condom.
      Then, seeing that no one, he asked:
      - And then what?
      - Nothing.
      Then I realized that I badly want to walk. We went for a walk along Nevsky Prospekt at 4:00 am, why I was just indescribable pleasure and great communication.
      Nevsky at 4:00 is super, one of the places kryshesnosnyh Peter, just beautiful.

      PS> This is the first Field, so I will be happy all the commentary!

      • Aleksey, you actually should have skipped this. The story doesn’t make sense in a bunch of places, I am pretty certain that it is pure fiction (just like his “primary girlfriend”).

        • Agreed, now I realize this comment was in bad taste. It may or may not be truth, but it has little relevance.

  5. If Fizot had been a regular reader of your column, he might have learned from the mistake Chronopay made that allowed you to tie them to a fake AV scam via the Google analytics code, too:

    http://voices.washingtonpost.com/securityfix/2009/07/following_the_money_trail_of_r.html

  6. Now the whole YouTube account has been closed.

  7. Алексей Алексеев ?
    http://vkontakte.ru/showbiznes

    • Whoever can track down Dmitri Sergeev AKA Cosma2k and drag him into US jurisdiction somehow or help have him extradited can claim this reward. This thread is about TDSS, a botnet different from Rustock.

  8. Dude, it’s not a Porsche. More like an early 90′s Celica with a Porsche license plate frame.

    • Ah.. good eye! According to a Google Image search (take note, thumb downer) it’s definitely a ~1993 – 1999 Celica with the nose badge removed. Strangely, I’m seeing two different designs for ’93s, but the ’94s – ’99s are definitely that design. I initially thought maybe the 98 on the right of the plate might be the year, but that’s apparently the city number after a little bit of Russian plate research.

    • Looks like you may be right. I’ve amended the above story with a strikethru through the Porsche comment.

  9. A filthy, stupid criminal with a penchant for public bragging all over the web – not a happy combination for him, I’m afraid (not!).
    Thank you, Brian once again you (and some noted commentators in your column) made my day. Just to see how this scum is scrambling to delete ramblings he unwisely left around reminds me of rats or cockroaches running when exposed from under a overturned rock. Priceless !!!
    Disclaimer:
    I have a personal grudge about those.
    My children computer had been recently infected with TDSS-4. Fortunately it was easy to remove since the the computer was tweaked with read-only Registry and C: drive, it only encroached into MBR – using Kaspersky Live CD. I read on the Internet other had more trouble removing it from both locations.

  10. In Russia, authorities offer license plates with certain numbers. They
    are meant for official use only, and signal to traffic police that the
    person in the car is on sensitive, official business and should not be
    stopped. Unfortunately, with corruption these plates can be bought to
    avoid traffic rules. One can also buy the blue flashing lights called migalki which allow one to cut through traffic. (more in English here -
    http://globalvoicesonline.org/2010/03/01/russia-bloggers-vs-patricians-on-the-road/). I do not know the exact code by which all are allocated, but signs that the plates are “special” often include double letters, like CC, and/or triple numbers, such as 666. I do not know how Fizot got his plate number, ut he may well have bribed security officials. Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.

    • Belka, you touch on a complex subject. In general, Russian license plates format is xNNNxx YY(Y) where “x” are letters that are shared between Cyrillic and Latin character sets. NNN is a three digit number and YY(Y) is a region code. The region code simply specifies which geographic location the car is registered at. The key to reading the number is the alphabetical part. There are certain combinations that are assigned to various law enforcement agencies and other combinations that are simply cool to have. I used to live in Moscow in the 90s, and back then one of the coolest combinations was “ooo” (like “0666oo77″). Now the most prestigious one (from what I heard) is “AMP”. Back in the 2000s the combination “EKX” was pretty cool. Obviously these license plates are a thriving corruption market and one can pay a good price for a cool license plate. The numbers are also for sale, and in my estimation getting “666″ number would cost someone between RUR 5k-10k ($170-$340) today.

      • I was offered 666 for free when registered my car in Moscow. Apparently nobody wants this number, and officials are kind enouht to not to issue this number forcibly. Other xxx numbers would cost about 5-10 times more than you think. People from Caucasus are especially fond of such plates.
        You’re right, xxx numbers are just fancy toys. The Real Numbers are AMP, EKX, ХКХ, САС, ССС and a few other.

    • “Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.”

      Criminals don’t exist in isolation, so it’s not as simple as saying they are issuing special plates to criminals. Who are his parents and siblings? Maybe he’s a family member of a VIP.

      If the FSB is so busy “milking” people accused of crimes, one can only imagine how amoral the children of their agents turn out.

      • I don’t think Oleg “Fizot” Krugov has anyone important among his relatives. He’s a lowlife, a nobody who came into certain money by engaging in online crime. His obsession with expensive cars, high-profile girls, money and other symbols of wealth is a good indicator of a low status and misery. Fizot is a typical loser.

  11. If distributing malware were a capital offense, that dude would get the Darwin award ;)

  12. The possible/potential repercussions from this ‘outing’ will be interesting to watch. The powers that be in Russia and the other cybercrooks who are quietly harvesting millions in theft earnings won’t be happy about this attention a ‘tall. To his ‘credit,’ this gangster had the sense to hit the delete button instead of reveling in the attention, a la Vrublevsky. He’ll still be lucky to escape with a stern ‘talking to.’ And word will probably spread that online braggadocio attracts attention and is bad for business.

    Stay tuned.

  13. I think this is great! I can’t believe people leave such ways to link them to things all over the net… I’d think if you know you’re doing something even remotely questionable you’d be more cautious about it. I also think that all the deleting of things that he has been doing points more towards his guilt than him being innocent.

  14. After a google search of : fizot@mail.ru , I’ve found something interesting on this website : http://www.stopforumspam.com/ipcheck/46.183.162.106

    ———————————————-
    it points like on 9th september user fizot was accesed from this ip:
    9-Sep-11 15:51 46.183.162.106 fizotik_fizot fizot@mail.ru Russian Federation Evidence
    9-Sep-11 15:42 46.183.162.106 fizotik_fizot fizot@mail.ru

    ————————————————-
    After doing a whois research on this IP i’ve found these details:

    IP address: 46.183.162.106
    IP country: Russian Federation
    IP Address state:
    IP Address city:
    IP latitude: 60.0000
    IP longitude: 100.0000
    ISP: CJSC Caravan-Telecom
    Organization: PH1340-COUNTER

    I assume he was using a local proxy accesing that account lately tunneling on metropolitan to have a good internet speed average.
    Regards, Iustin.

    • Actually, stopforumspam.com has a number of entries for this email address, all from September 8th and 9th. Most IP addresses are from the same Caravan Telecom range, that company provides internet access to businesses in Moscow. Other IP addresses seem to belong to proxies (botnet participants?) around the world.

      I had a look at the “evidence”. Here it is:

      username: fizot
      User Email: fizot@2mail.ru
      User ICQ:173358888
      User AIM: fizot@mail.ru
      User MSN: fizot@mail.ru
      User Yahoo: cikifriki
      Website:
      Location: Romania
      Occupation: Banking, mortgage
      Interests: Religion, spiritual
      User Signature: xtexcounter@bk.ru

      I guess that he is spamming forums with his data to make searching for his email addresses harder. Interestingly, if you search for that Yahoo nick you will find tons of forum spam (the forum profiles I looked at were created in July).

  15. fizot seems to have started as a PHP developer. His learning experience:

    http://forum.codenet.ru/members/5765-olegking
    http://forum.vingrad.ru/forum/topic-20016/anchor-entry136162/0.html
    http://phpclub.ru/talk/threads/.20491/

    And here he is advertising his services:

    http://xoops2.ru/modules/newbb/viewtopic.php?post_id=16253#forumpost16253
    http://forum.searchengines.ru/showthread.php?t=143208
    http://forum.searchengines.ru/showthread.php?t=189219
    http://phpclub.ru/talk/threads/php–1200.46207/

    Note his ICQ number, that’s how I found the phpclub.ru post (which has been deleted two days ago but is still visible in Google cache – he didn’t bother deleting everything else he posted under the name “melkiy” however). So he previously owned phpnow.ru and php-job.org domains (the former is confirmed by http://www.1stat.ru/?domain=phpnow.ru).

    Here is looking for a C programmer: http://www.jobinpiter.com/vacancy/30712/ (same ICQ number). Note that he gives the name Oleg but email address is avzibrov@yandex.ru (Александр Зибров). Here is his profile: http://azibrov.moikrug.ru/, apparently he works for svyaznoy.ru in Moscow.

    Here is a forum topic about awmproxy: http://www.umaxforum.com/showthread.php?t=26364. Another forum participant claims that fizot is simply reselling proxy lists he bought from him (deleted again, use Google cache). That forum participant also lists the various nicks used by fizot.

  16. Came late to the show….missed the beer and popcorn but the film is still the best of the best! I love how these fugtards blow themselves out of the water, have seen it myself many times before but in Romania with hi5! Brian I bet he is extremely media-whorish go visit him with Charles:-)
    what a delight to see this happen in real time and thanks to AKL and Aleksey and all the other pokers: this was a good movie!!

  17. Do we know who is utilizing the awmproxy service or what, exactly, it is being used for? I imagine anyone with an inclination to perform illicit activity is simply going to use Tor, their own list of hijacked systems, public proxies, etc. I guess I’m interested in who would actually pay, a fairly substantial amount of money, to utilize this service?

    • The majority of hacked machines belonging to this botnet will be utilizing residential ISP’s and the IP addresses will mostly be undetected as proxy/anonymity networks. Therefore renting access to tens of thousands of residential undetected IP addresses would be a fraudsters wet dream due to the ability to trick anti-fraud systems into thinking the order is coming from a legitimate internet connection. For example if you are a carder from Russia, a website will unlikely accept an order from a Russian IP address with a USA credit-card, and unlikely to accept an order coming from an anonymity network, but would likely accept the order if it was coming from a legitimate looking residential US IP address.


Read previous post:
Rent-a-Bot Networks Tied to TDSS Botnet

Criminals who operate large groupings of hacked PCs tend to be a secretive lot, and jealously guard their assets against...

Close