11
Dec 12

A Closer Look at Two Bigtime Botmasters

facebooktwittergoogle_plusredditpinterestlinkedinmail

Over the past 18 months, I’ve published a series of posts that provide clues about the possible real-life identities of the men responsible for building some of the largest and most disruptive spam botnets on the planet. I’ve since done a bit more digging into the backgrounds of the individuals thought to be responsible for the Rustock and Waledac spam botnets, which has produced some additional fascinating and corroborating details about these two characters.

In March 2011, KrebsOnSecurity featured never-before-published details about the financial accounts and nicknames used by the Rustock botmaster. That story was based on information leaked from SpamIt, a cybercrime business that paid spammers to promote rogue Internet pharmacies (think Viagra spam). In a follow-up post, I wrote that the Rustock botmaster’s personal email account was tied to a domain name ger-mes.ru, which at one time featured a résumé of a young man named Dmitri A. Sergeev.

Then, on Jan. 26. 2012, I ran a story featuring a trail of evidence suggesting a possible identity of “Severa (a.k.a. “Peter Severa”), another SpamIt affiliate who is widely considered the author of the Waledac botnet (and likely the Storm Worm). In that story, I included several screen shots of Severa chatting on Spamdot.biz, an extremely secretive Russian forum dedicated to those involved in the spam business. In one of the screen shots, Severa laments the arrest of Alan Ralsky, a convicted American spam kingpin who specialized in stock spam and who — according to the U.S. Justice Department – was partnered with Severa. Anti-spam activists at Spamhaus.org maintain that Peter Severa’s real name is Peter Levashov (although the evidence I gathered also turned up another name, Viktor Sergeevich Ivashov).

It looks now like Spamhaus’s conclusion on Severa was closer to the truth. More on that in a second. I was able to feature the Spamdot discussions because I’d obtained a backup copy of the forum. But somehow in all of my earlier investigations I overlooked a handful of private messages between Severa and the Rustock botmaster, who used the nickname “Tarelka” on Spamdot. Apparently, the two worked together on the same kind of pump-and-dump stock spam schemes, but also knew each other intimately enough to be on a first-name basis.

Spamdot.biz chat between Tarelka and Severa

The following is from a series of private Spamdot message exchanged between Tarelka and Severa on May 25 and May 26, 2010. In it, Severa refers to Tarelka as “Dimas,” a familiar form of “Dmitri.” Likewise, Tarelka addresses Severa as “Petka,” a common Russian diminutive of “Peter.” They discuss a mysterious mutual friend named John, who apparently used the nickname “Apple.”

From: Severa
To: Tarelka
Date: May 25, 2010, 10:28 a.m.
Subject: Stocks

“Dimas, hello.  How’s everything?  What has happened with Apple?  Everything is understandable in regards to Ralka.  However, what’s happened with them?  I used to have more people, they have also disappeared.  I think they got scared after Ralsky got shaken down.”

From: Tarelka
To: Severa
Date: May 25, 2010, 3:20 p.m.
Subject: Re: Stocks

“Everything is all right with John.  We drank with him recently in Europe. He is getting married soon. He is no longer spamming stocks.  He got squeezed [arrested/questioned] once very badly some time ago.  Now he is all clean.  His friend – SP – screwed him and also is not working with stocks now.  Rin is in total shit.  He is going to be in jail (or he is going to be hiding) for a long time.  He calls me pretty often, so he is alive so far.  I am helping his wife with money from time to time.”

The two exchange recommendations about their favorite nightclubs in St. Petersburg, Russia. Tarelka inquires how Severa is doing, which elicits the following reply:

From: Severa
To: Tarelka
Date: May 25, 2010, 3:27 p.m.
Subject: Re: Stocks

“I am okay. Damn, where to find sponsors? I am sure I can spin off stocks even in the current market. Are there any more contacts? Maybe I will ask Apple. Maybe he can give me some referrals. Who could think two years ago that this “theme” would die, huh? Give my regards to Igor [possibly Igor Gusev, the co-curator of SpamIt]. I wish you luck and patience.”

Tarelka says he tried to convince John/Apple that there was still money to be made in stock spam, but that John insisted the market was dead, and that no one was coming forward to pay spammers to send pump-and-dump spam anymore.

From: Tarelka
To: Severa
Date: May 26, 2010, 8:02 a.m.
Subject; Re: Stocks

“My friend….do you think that stocks was not the central theme of our conversation? I filled his ears with this topic. He does not see any possibilities. Not at all. So, we are sitting on our asses, sending pharmacy and replica [spam].

The “John” in the conversation above may have one of the two Johns named as co-conspirators in Ralsky’s 2008 indictment (PDF) on spam charges. According to his Wikipedia page, Ralsky was sentenced in 2009 to four years and three months in prison after pleading guilty to wire fraud, mail fraud and violations of the CAN-SPAM Act. That sentence was later reduced to 35 months, when Ralsky agreed to assist in the prosecution of other spammers. He was reportedly released from prison on Sept. 14, 2012.

Both Severa and Tarelka remain free and quite active in the spam and malware scene. According to sources, Tarelka claims his botnet code was sold to three different miscreants prior to Microsoft’s takedown of Rustock in March 2011, although he still sells custom rootkits to vetted customers. In July 2011, Microsoft began offering a $250,000 reward for information leading to the arrest and conviction of the individual(s) responsible for Rustock.

Tags: , , , , , , , , , , , , , , , ,

14 comments

  1. Just wondering if you ever get any repurcussions from naming folks similar to what you did in “A Closer Look at Two Bigtime Botmasters”. Any threats/comments from the principals you name?

  2. There was a leak of the entire Spamdot database? When did that happen?

    • There was not a “leak” per se, in the sense that it was put online for lots of people to download. It was obtained and shared by a private party, to me.

      • …and here I thought there was a Pharma Ceasefire

        • That bd was dumped and given to Brian from around late 2010, I believe. One funny thing is the life span for so many things in the malware and botnet and spam world(s) are fairly short. Many things unrelated to the technology, including interpersonal politics, partnerships, and friendships have changed.

          If anything, bringing up history and challenging people for relationships and actions 2-3+ years ago likely instigates things and people in unpredictable ways.

          Surely Brian knows by now that we are a culture (and by this I mean eastern Europe and Russia, not merely those who commit crimes in our countries) that puts a lot of value on our personal senses of pride, honour, reputation and dignity. I suspect a great deal of why he writes posts like this one is to needle people into ‘making mistakes’ and thereby ‘exposing themselves’.

          • Someone with a strong sense of pride, honor, reputation, and dignity would never make a living scamming people.

            The criminals living in your midst have larger delusions than most criminals if they think they’ve somehow retained them.

            • Probably they’re referring to these values inside their own peer group and/or business contacts.

            • I knew that this would be what you would focus on which was why I went out of my way to state that it was cultural in a larger sense, not limited to criminals. It is funny that most English speakers will romanticise Italian mafia idea of ‘omerta’ but not be willing to consider that honour can have many contexts.

  3. Typo in your article: Waldeac -> Waledac.

  4. Anyone else see an uptick in pharma spam today?

    • Not pharma – but a lot of what I’m sure are fake spam on legitimate brand names. Must be a new tactic to fool people into thinking they are blocking the wrong adverting or news groups.

      I’m very surprised this hasn’t been tried before.

  5. It is interesting their choice to communicate using the forum private message board rather than ICQ or email (being close “friends” they surely know each other contact details). I wonder if it was conscious choice (harder to subpoena than ICQ) or just happened so.