Anyone who’s run a Web site is probably familiar with the term “malvertising,” which occurs when crooks hide exploits and malware inside of legitimate-looking ads that are submitted to major online advertising networks. But there’s a relatively new form of malware-based advertising that’s gaining ground — otherwise harmless ads for illicit services that are embedded inside the malware itself.

At its most basic, this form of advertising — which I’m calling “crimevertising” for want of a better term — has been around for many years. Most often it takes the form of banner ads on underground forums that hawk everything from cybercriminal employment opportunities to banking Trojans and crooked cashout services. More recently, malware authors have started offering the ability to place paid ads in the Web-based administrative panels that customers use to control their botnets. Such placements afford advertisers an unprecedented opportunity to keep their brand name in front of the eyeballs of their target audience for hours on end.

The author of the Blackhole exploit pack is selling ad space on his kit's administration page, as seen in this screenshot.

A perfect example of crimevertising 2.0 is the interface for the Blackhole Exploit Kit, crimeware that makes it simple for just about anyone to build a botnet. The business end of this kit is stitched into hacked or malicious Web sites, and visitors with outdated browser plugins get redirected to sites that serve malware of the miscreant’s choosing. Blackhole users can monitor new victims and the success rates of the compromised sites using a browser-based administrative panel.

In the screen shot above, the administration panel of a working Blackhole exploit kit shows two different ads; both promote the purchase and sale of Internet traffic. And here is a prime example of just how targeted this advertising can be: The most common reason miscreants purchase Internet traffic is to redirect it to sites they’ve retrofitted with exploit kits like Blackhole.

I wanted to find out how much it would cost to place such targeted ads, so I chatted up the author of this kit — a hacker who uses the nickname “Paunch.” He said an ad that would run on administration panels across the entire Blackhole user base would cost me $700 per month. He declined to say just how many “impressions” that money would buy, or exactly how many Blackhole users there are today.

But it’s probably quite an audience: According to security firm Sophos, Blackhole is now by far the most popular method of delivering drive-by attacks. In its 2012 Security Threat Report, the company found that “in the second half of 2011, 67% of [malware] detections were redirections on compromised legitimate sites. Of these, approximately half are believed to be redirections to Blackhole exploit sites.”

Interestingly, when Paunch doesn’t have ads to run from paying customers, he runs ads for his own ancillary services. In the screen shot below (taken from a different working Blackhole exploit kit) Paunch can be seen pitching his subscription-based malware obfuscation service.

I suppose it’s possible that miscreants could try to place malware-laced crimevertisements in a bid to hijack the browsers of other hackers, but that’s probably unlikely to happen as long as malware authors like Paunch are manually reviewing purchased ads and disallowing anything other than plain text. In the end, crimeware kit buyers may have more to fear from a kit’s author himself: The author of the infamous SpyEye botnet creation kit once acknowledged adding a hidden backdoor to his software that let him remotely access all customer installations.

More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the  criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.

Source: FBI

The malware, known as the “DNSChanger Trojan,” quietly alters the host computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections. DNSChanger frequently was bundled with other types of malware, meaning that systems infected with the Trojan often also host other, more nefarious digital parasites.

In early November, authorities in Estonia arrested six men suspected of using the Trojan to control more than four million computers in over 100 countries — including an estimated 500,000 in the United States. Investigators timed the arrests with a coordinated attack on the malware’s infrastructure. The two-pronged attack was intended to prevent miscreants from continuing to control the network of hacked PCs, and to give Internet service providers an opportunity to alert customers with infected machines.

But that cleanup process has been slow-going, according to at least one security firm. Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities.

“Yes, there are challenges with removing this malware, but you would think people would want to get this cleaned up,” said Rod Rasmussen, president and chief technology officer at Internet Identity. “This malware was sometimes bundled with other stuff, but it also turns off antivirus software on the infected machines and blocks them from getting security updates from Microsoft.”

Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.

Rasmussen said there are still millions of PCs infected with DNSChanger. “At this rate, a lot of users are going to see their Internet break on March 8.”

Tom Grasso Jr., an FBI supervisory agent at the National Cyber Forensics & Training Alliance in Pittsburgh, Pa., said the DNSChanger Working Group — the industry and law enforcement coalition that’s handling the remediation — has been discussing what to do about the upcoming deadline, but he declined to offer specifics.

“We’re certainly exploring all different options to minimize whatever impact there’s going to be on a lot of people,” Grasso said.

Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years.  At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker.

Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem.

“I’m guessing a lot more people would care at that point,” Rasmussen said. “It certainly would be an interesting social experiment if these systems just got cut off.”

Individuals in charge of a large network can learn if any systems are infected with DNSChanger by sending a request to one of the members of the DNS Changer Working Group. Home users can avail themselves of step-by-step instructions at this link to learn of possible DNSChanger infections.

Where do you come down on the decision to extend the Mar. 8 deadline? Register your vote in the poll below. Feel free to sound off in the comments.

A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. The latest casualties? Several individuals likely responsible for running Grum, currently the world’s most active spam botnet.

Grum is the top spam botnet, according to M86Security

In the summer of 2010, hackers stole and leaked the database for SpamIt and Glavmed, sister programs that paid people to promote fly-by-night online pharmacies. According to that data, the second-most successful affiliate in SpamIt was a member nicknamed “GeRa.” Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

A variety of data indicate that GeRa is the lead hacker behind Grum, a spam botnet that can send more than 18 billion emails a day and is the primary vehicle for more than a third of all junk email.

Hackers bent on undermining SpamIt leaked thousands of chats between SpamIt members and Dmitry Stupin, the co-administrator of the program. The chats show daily communication between GeRa and Stupin; the conversations were usually about setting up new spamming operations or fixing problems with existing infrastructure. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that, “Neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”

Several of those chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum controller.

By this time, Grum had grown to such an established threat that it was named in the Top Spam Botnets Exposed paper released by Dell SecureWorks researcher Joe Stewart. On  April 13, 2008 – just five days after Stewart’s analysis was released -  GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”

Around the same time that SpamIt’s database was leaked, hackers plundered the networks of ChronoPay, one of Russia’s biggest online payment processors. The company’s top executive, Pavel Vrubelvsky, was reputed to have been a co-founder of SpamIt’s biggest competitor — a rogue pharmacy operation called Rx-Promotion. The data that hackers leaked from ChronoPay included emails showing ChronoPay executives passing credentials to Rx-Promotion’s administrative back end database.

KrebsOnSecurity.com obtained a comprehensive data set showing all of the sites advertised by Rx-Promotion affiliates in 2010, as well as the earnings of each affiliate. That information was shared with several University of California, San Diego researchers who would later incorporate it into their landmark Click Trajectories study (PDF) on the economics of the spam business. The researchers spent four months in 2010 observing the top spam botnets, keeping track of which pharmacy affiliate programs were being promoted by different top botnets.

The GeRa-Stupin chats show that by the time the researchers started recording the data, GeRa had defected from SpamIt to work for Rx-Promotion. Indeed, the UCSD researchers found that Rx-Promotion and Grum were synonymous. Each RX-Promotion pharmacy includes a “site_id” in its HTML source, which uniquely identifies the store for later assigning advertising commissions.  The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named ‘gera.’

A tiny snippet of GeRa's sales from Rx-Promotion sites, which all bore his affiliate ID 1811 in the source.

“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and co-author of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa’.”

WHO IS GERA?

GeRa uses the alternative nickname “Ger@” on Internet forums, including the now-defunct Spamdot.biz, where top spammers from SpamIt and competing programs used to gather. Google’s search engine largely ignores the “@” character, which makes searching for that nickname difficult. But infiltrate enough invite-only cybercrime communities and eventually you will find a user named Ger@ who announces that he is buying traffic.

GeRa routinely purchases traffic from other botmasters and malware writers who control large numbers of hacked PCs. As he explained in the following post to an exclusive forum, victim browsers sent his way are typically funneled through sites hosting a gauntlet of exploits designed to install a copy of his spam bot (see below).

Ger@ writes: "We continue to buy all your traffic which goes to Eleonor (Exploit Pack) to load the spam bot..."

GeRa did not respond to multiple requests for comment sent via email and ICQ. He appears to have been much more careful with his identity than other top SpamIt botmasters, but he did leave several tantalizing clues. GeRa appears to have used a number of separate affiliate accounts for himself on SpamIt (possibly to make his earnings appear lower than they really were. Among his personal accounts were “GeRa,” “Kostog,” “Scorrp,” “Scorrp2,” “Scorrp3,” “UUU,” and “DDD.”

GeRa received commission payments for all of those accounts to a WebMoney purse with the ID# 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport #4505016266. The name on the passport was a 26-year-old named Nikolai Alekseevich Kostogryz.

One of GeRa’s most successful referrals was a SpamIt affiliate who used the nickname “Anton,” and the WebMoney ID 186103845227. The information on the Russian passport used to open that account was Vasily Ivanovich Petrov. According to SpamIt records, Anton was the 18th most valuable affiliate overall, bringing in sales of nearly $1 million and earning commissions above $422,000.

A "mind map" that helped piece together data about GeRa and his associates.

Looking at the earnings of spammers from both SpamIt and Rx-Promotion, it’s difficult to ignore the remarkable asymmetry between their incomes and the global cost of dealing with junk email. In the United States alone, spam has been estimated to cost businesses more than $40 billion annually in lost productivity, anti-spam investments, and related costs. By comparison, the entire SpamIt program produced revenues just above $150 million over a four year period, while Rx-Promotion spammers generated a fraction of that revenue.

SpamIt, Glavmed earnings over the life of the programs.

This is the latest in my Pharma Wars series. In case you missed them, check out my profiles of other top botmasters, including:

Mr. Waledac: The Peter North of Spamming
‘Google,’ the Cutwail Botmaster
Mr. Srizbi vs. Mr. Cutwail
Chats with Accused ‘Mega-D’ Botnet Owner?
Rustock Botnet Suspect Sought Job at Google

A prominent affiliate program that pays people to promote knockoff luxury goods is closing its doors at the end of January. The program — GlavTorg.com — is run by the same individuals who launched the infamous Glavmed and SpamIt rogue pharmacy operations.

Launched on July 4, 2010 and first announced on the Glavmed pharmacy affiliate forum, GlavTorg marketed sites that sold cheap imitations of high priced goods, such as designer handbags, watches, sunglasses and shoes.

“July 4 – U.S. Independence Day! Now, Russian craftsmen have a reason to celebrate this holiday. And on this occasion, the launch of GlavTorg.com. The all-new niche for all Russian search engine optimization (SEO) masters. Adult has died, online pharmacies are under pressure, and [fake anti-]spyware is dying. It’s time to move into a new direction. FASHION – that’s the trend this year! High demand, myriad of opportunities… Competition is almost non-existent.  High commissions.”

The program apparently was not profitable, or there was a mismatch between supply and demand, because on Dec. 21, 2011, GlavTorg affiliates were told it was being shut down and that they would not be paid after Jan. 31, 2012:

“Dear partners, We would like to inform you that we have decided to close the trade direction replica handbags and clothing. The reasons for this decision and are associated with economic deterioration in the quality of products provided by our suppliers. We believe that any business should be to balance the interests of buyers and sellers, which has recently become disturbed.”

GlavTorg’s failure may have had more to do with pressure from brand owners. In September 2011, handbag maker Chanel filed suit to shutter dozens of sites selling knockoff versions of its products. Among the domains seized and handed over to the company was topbrandclub.com, a primary GlavTorg merchandising site whose home page now bears a warning from Chanel about buying counterfeit goods.

It’s difficult to say whether other knockoff affiliate programs are feeling the same pressures as GlavTorg, but it is fascinating to see how spammers and fraudsters are constantly adapting. Igor Gusev, a Russian businessman closely tied to Glavmed and GlavTorg, has been trying to work out which “grey” Internet business he will pursue next. Gusev is in self-imposed exile from his native Moscow, due to pending criminal charges against him of running a spam operation in Glavmed and SpamIt.

In a phone interview with KrebsOnSecurity.com last July, Gusev said he was considering going into the consulting business, advising online affiliate programs on how to navigate the choppy waters of shady credit card processors and dodgy banks that support those industries.

“Honestly, I am looking into this business,” Gusev said. “From one point of view, it’s pretty risky because I want to stay as far as possible away from doing stuff which could lead to another criminal case. But from another point of view, I can earn some money just to make some consultations with merchants such as this if the merchants agreed to paid some percentage for my expertise,” because the banks are the vital thing to all of this stuff.”

Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

SPAMDOT SECRETS

So where are the clues suggesting that Severa ran Waledac? Krebs On Security also managed to secure a copy of the Spamdot.biz forum, including the private messages for all of its users. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “ip-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other ISPs. The messages indicate that Severa transacted with ip-server to purchase dedicated servers used to control the operations of the Waledac botnet.

In the private message pictured in the screen shot to the left, Severa writes (translated from Russian):

“Hello, writing to your ICQ, you are not responding.  One of the servers has been down for 5 hours. The one ending on .171.  What’s the problem, is it coming up or not, and when?”

ssh 193.27.246.171
ssh: connect to host 193.27.246.171 port 22: No route to host”

Ip-server must have resolved the outage, because the server that Severa was complaining about — 193.27.246.171 — would be flagged a day later by malware analysts, and tagged as a control server for the Waledac botnet.

There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.

In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:

“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”

It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.

Contacted via instant message and presented with the evidence, Severa denied everything, saying he only did small opt-in mailings, had never used a botnet, and had been out of the business for years. When pressed about his fake antivirus affiliate program, Severa said he didn’t realize his antivirus program was fake, and that he didn’t know anyone named Sabelnikov, or even Ralsky. When presented with the screen shot below — which shows Severa complaining on Spamdot about how his broker ran away and that he was faced to find a new sponsor for spamming penny stocks just days after Ralsky’s arrest in Jan. 2008 — Severa said someone else must have been using his Spamdot account.

“The truth is that some people sharing servers, spamdot account and some other forum accounts [in] those years,” he explained. He gave the same reply when asked about the screen shot showing his renting the server used to control Waledac.

Kelihos may not be completely gone. Stone-Gross said he recently uncovered a malware sample that appears to be another installer for Kelihos.

“The guys running these botnets are making lots of money,” Stone-Gross said. “They’re not just going to sit back and say, ‘Oh no, they took down our botnet, let’s give up on our business.’ They’ll use pay-per-install affiliate programs to reinfect more machines and bring the botnet right back up.”

Severa writes: "Because of issues with Ralsky my broker ran away along with two other people who could supply stocks. I am forced to look for new contacts. So -- I AM LOOKING FOR STOCK SPONSOR"

Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.

A screenshot of the Citadel botnet panel.

The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.

“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.

-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

- You can see all stages of module development, if it is approved other members. We update the status and time to completion.

- You may pay a deposit, if module is approved (50%). After the deposit is paid by the members, the project starts moving forward, so that the money is paid directly to coders and there will be no laziness or inaction. Everything is clear: every stage of development is thoroughly shown.

-Easy jabber [instant message] notification of new member or developer comments, or the availability of new custom applications.

The Citadel store lets users file and track bug reports, and request and vote on new features.

Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity.

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

The Citadel bot builder.

It will be interesting to see if these malware developers hold true to their word. The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation. For now, the miscreants behind Citadel appear upbeat about their chances of ushering in such a reality.

“It’s very interesting for us to work with our clients,” they wrote in an online forum posting. “A lot of authors write in forums that they ‘support the product,’ but at the end the updates only come out once every three months or the author disappears forever. Problem is in author’s motivation. You support us, we support you. It is easy.”

A new service aims to be the Google search of underground Web sites, connecting buyers to a vast sea of shops that offer an array of dodgy goods and services, from stolen credit card numbers to identity information and anonymity tools.

MegaSearch results for BIN #423953

A glut of data breaches and stolen card numbers has spawned dozens of stores that sell the information. The trouble is that each shop requires users to create accounts and sign in before they can search for cards.

Enter MegaSearch.cc, which lets potential buyers discover which fraud shops hold the cards they’re looking for without having to first create accounts at each store. This free search engine aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.

According to its creator, the search engine does not store the compromised card numbers or any information about the card holders. Instead, it works with card shop owners to index the first six digits of all compromised account numbers that are for sale.  These six digits, also known the “Bank Identification Number” — or BIN — identify which bank issued the cards. Searching by BIN, MegaSearch users are given links to different fraud shops that are currently selling cards issued by the corresponding bank.

I first read about this offering in a blog post by RSA Fraud Action Research Labs. It didn’t take much time poking around a few hacker boards to find the brains behind MegaSearch pitching his idea to the owners of different fraud shops. He agreed to discuss his offering with me via instant message, using the search service as his screen name.

“I’m standing on a big startup that is going to be [referred to as] the ‘underground Google,’” MegaSearch told KrebsOnSecurity. “Many users spend a lot of time looking [through] shops, and I thought why not make that convenient?”

The service currently indexes compromised BINs from five different card shops, although he said several more shops are close to completing their integration with MegaSearch. He acknowledged garnering a small advertising fee for each relationship, although he repeatedly declined to discuss the particulars of those arrangements. But he said both sides benefit: stolen card data grows less reliable with age, and fraud shops that are indexed by MegaSearch stand a better chance of clearing their inventory faster, the hacker argues.

MegaSearch said that when his site first launched at the end of 2011 and began indexing the five card shops he’s now tracking, those shops had some 360,000 compromised accounts for sale, collectively. Since then, those shops have moved more than 200,000 cards. The search engine currently has indexed 352,000 stolen account numbers that are for sale right now in the underground.

According to BIN search stats published on the site, Citibank cards are the most sought-after, followed by cards issued by FIA Card Services, Capital One and Chase.

In the coming weeks, he said, the site will include new features that index other types of criminal wares, including Social Security numbers and proxies — addresses of hacked PCs that paying clients can use as a relay to anonymize their online communications.

“I’m about to add more services to that site that would help newbie underground, including proxies, stolen identity information, etc.,” MegaSearch told me. “I’m also going to add a survey [to rate] the best shop.”

2011 has been called the Year of the Data Breach. If services like MegaSearch are indicative of a trend, 2012 may well become known as the year the criminal underground started getting a clue about how to better index and use all of its stolen data.

Given the heightened security surrounding air travel these days, it may be hard to believe that fraudsters would try to board a plane using stolen tickets. But incredibly, there are a number of criminal travel agencies doing business in the underground, and judging from the positive feedback left by patrons, business appears to be booming.

Ad above says: Maldives Turkey Goa Bora-Bora, Carribes, Any country, any hotels and resorts of the world.

The tickets often are purchased at the last minute and placed under the criminal buyer’s real name. The reservations are made using either stolen credit cards or hijacked accounts belonging to independent contractors in the travel industry.  Customers are charged a fraction of the cost of the tickets and/or reservations, typically between 25 and 35 percent of the actual cost.

Criminal travel services are contributing to a recent spike in airline ticket fraud. In December, the Airlines Reporting Corporation, an industry clearinghouse, said it was seeing a marked increase in unauthorized tickets issued. Between August and November of last year, 113 incidents of fraudulently booked tickets were reported to ARC, up from just 18 such incidents reported in all of 2010. The aggregate face value of the unauthorized tickets in 2011 was more than $1 million. The ARC believes the increase in fraud is mainly due to an surge in phishing emails targeting travel agency employees and contractors.

Some of the travel agencies in the criminal underground are full-service, pitching package deals that  include airfare, car rentals and even hotel stays. A hacker using the nickname “Yoshimo” on one prominent fraudster forum offers “80-95 percent working flight tickets in most countries (some restrictions apply),” for 25 percent of the original price, and 40 percent of the price for carded hotel stays and car rentals. He has been offering this service for more than two years, and has at least 275 positive reviews from current and former customers.

At first glance, it may seem unlikely that your typical paranoid fraudster would dare take advantage of such a service. But according to the proprietors, few customers are ever stopped, and those that are can simply claim that they were victims of fraud. At least that’s how it’s explained by “Jeferi,” a criminal travel agent who has set up shop on the fraudster forum Kurupt.su.

To assuage fears of potential customers, Jeferi allows buyers to verify the status of their e-tickets the day of travel before paying for them. And of course, none of these bogus travel services accept credit cards: They only take payment via virtual currencies, such as WebMoney and Liberty Reserve.

“The story is simple,” Jeferi explained in a discussion thread that spans five pages and includes questions from dozens of skeptical and interested members. “The thing is, you are thinking as a criminal. Think about yourself as a victim of an online scam. You saw an advertisement of a “Travel Agency” in the Internet, and it seemed interesting. So you contacted them through a forum and finally arranged a deal. The travel agency told you that the tickets were last-hour tickets and that they were affiliate with the airlines, so they could offer these kinds of prices, and you thought they were legit. OMG! I never thought it was going to be a scam! Bastards!”

Chalk it up to professional pride or just greed, but it seems that many people who steal for a living have difficulty legitimately purchasing anything online. There is probably also a strong emotional jolt that these guys receive from getting a stranger to pick up the tab for a tropical vacation. As Jeferi says in his ad: “What’s better? Money for one day to buy some chips? Or Big Money each day to do whatever your want?”

Jobs in the hi-tech sector can be hard to find, but employers in one corner of the industry are creating hundreds of full-time positions, offering workers on-the-job training and the freedom to work from home. The catch? Employees will likely toil for cybercrooks, and their weekly paychecks may barely cover the cost of a McDonald’s Happy Meal.

Kolotibablo.com home page

The abundance of these low-skilled, low-paying jobs is coming from firms that specialize in the shadowy market of mass-solving CAPTCHAs, those blurry and squiggly words that some websites force you to retype. One big player in this industry is KolotiBablo.com, a service that appeals to spammers and exploits low cost labor in China, India, Pakistan, and Vietnam.

KolotiBablo, which means “earn money” in transliterated Russian, helps clients automate the solving of puzzles designed to prevent automated activity by bots, such as leaving spammy comments or mass-registering accounts at Webmail providers and social networking sites. The service offers an application programming interface (API) that allows clients to feed kolotibablo.com CAPTCHAs served in real time by various sites, which are then solved by KolotiBablo workers and fed back to the client’s system.

Paying clients interface with the service at antigate.com, a site hosted on the same server as kolotibablo.com. Antigate charges clients 70 cents to $1 for each batch of 1,000 CAPTCHAs solved, with the price influenced heavily by volume. KolotiBablo says employees can expect to earn between $0.35 to $1 for every thousand CAPTCHAs they solve.

The twin operations say they do not condone the use of their services to promote spam, or “all those related things that generate butthurt for the ‘big guys,’” mostly likely a reference to big free Webmail providers like Google and Microsoft. Still, both services can be found heavily advertised and recommended in several underground forums that cater to spammers and scam artists.

Registered antigate.com users can read more about why customers typically purchase the service, and how KolotiBablo is run. From the description:

“All CAPTCHAs in our service are completely solved by real humans, there are usually 500-1000 (and growing) workers online from all the world. That’s why we can process any CAPTCHAs at any volume for a fixed price $1 per 1000 CAPTCHAs.

You may probably think that using human resource inappropriate or inhumane. However, keep in mind that we pay the most of collected money to our workers who sit in the poorest corners of our planet and this work gives them a stable ability to buy food, clothes for themselves and their families. Most of our staff is from China, India, Pakistan and Vietnam.”

To get started as a CAPTCHA-solving worker at Kolotibabo.com (pictured at left), you’ll need to provide a working account at WebMoney, a virtual currency. After that, the system will start feeding you live CAPTCHAs to solve, prefacing each with an notice about the rate that the client has agreed to pay per batch.

Depending on the demands that clients place on the service, there may be a brief delay between CAPTCHAs, but generally only a few seconds pass between the time a solved puzzle is submitted and when a new one is offered. Each new puzzle is preceded by an audible “beep,” and workers are expected to solve and type each of the CAPTCHAs in less than 10 seconds. During downtime, the system displays workers’ average puzzle solving times, as well as actual and projected weekly earnings.

If sort of drudgery sounds like easy money, take a moment to work out the math. Assuming that you can solve six CAPTCHAs per minute and work eight hours straight, you’d be able to solve about 2,880 puzzles each day. Even at the highest CAPTCHA solving rate, you’d only make $2.88 daily; at the lowest rate, you’d make just over a dollar a day.

No, the real earnings only come when you assemble an army of workers to solve CAPTCHAs for your WebMoney account, as described by this FAQ at KolotiBablo.com.

As long as there is low-cost human labor willing to do this kind of work for pennies per day, CAPTCHAs will continue to be an ineffective way to prevent automated account creation and spammy Web site comments. But at least experts are working on making CAPTCHAs less annoying: Some firms are starting to pitch more user-friendly alternatives to the hard-to-read squiggly CAPTCHAs.

If you’d like to learn more about CAPTCHAs and the semi-automated systems being built to defeat them, I’d suggest reading this paper (PDF) on CAPTCHA-solving services, from researchers at University of California, San Diego. Also, in Nov. 2010, I wrote about CAPTCHABot, another puzzle-solving service with similar rates and practices.

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.

Stupin: Understood.

SPM: Let’s decide.

Stupin: We can think of something.

SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.

SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.

Stupin: We can think of something like this  – we are placing your logo with ours,  in return you add our logo to your software, like you are recommending us.

SPM: Not a problem. I am leaving to draw the logo.

SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.

Stupin: Wait,  it cannot be decided that fast,  I need to discuss it with my partner and simply think all of this over.

SPM: Fine. Let me know when you discuss it.

Stupin: Certainly.

SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words

Stupin: Google is saying the same thing

SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience

SPM: Google offered me a bribe for my going out of business That’s his method )

Stupin: Honestly, it’s more pleasurable to deal with you than with him.

SPM: I was surprised that someone is competing with me on spam soft market.  On the other hand, competition is always a good thing. So I am not against it.

The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.

WHO IS SPM?

Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address mserver@mail.ru, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: mserver@mail.ru.

When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to ronnich@gmail.com. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address nenastnyj@gmail.com, and a programmer who used two accounts under separate nicknames, “Vladie” (volodyja@gmail.com) and “SigmaZ” (vlaman@gmail.com).

These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.

Stewart wrote:

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”

So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” –  had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”

The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the mserver@mail.ru address.

Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to game@gameprom.com.

I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: mserver@mail.ru.

I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.

If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:

ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)

REACH OUT AND SPAM SOMEONE

It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.

There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.

The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:

ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?

Stupin: Nothing new. Everything repeats itself.

SPM: That’s the law of life.  How’s business?

SPM: Am I interrupting something?  I can knock later if I am.

Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.

SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.

SPM: Maybe not.

Stupin: I am very happy for you.

SPM: In other words, you are not interested in using SMS for SpamIt spam?

Stupin: Well, I have not really heard an offer from you.

SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.

Stupin: Well, go get our URLs and try.

SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.

Stupin: They are adapted automatically, using User-Agent.

SPM: Give me any link, and I will check on the phone.

Stupin: http://canadian-medshop.com

SPM: Do you have stats of connections to shops from smartphones?

Stupin: Yes, a small percent from overall traffic.

SPM: What kind of phones? Do you have this information?

Stupin: No surprises…iPhones, and Blackberry

SPM: How about Nokias?

Stupin: Very few.

SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….

Stupin: Databases are not targeted also, as far as I understand.

SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.

Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.

SPM: I thought about it. Is my account still alive? I forgot my password.

Stupin: Tell us login and which new password you want us to set.

SPM: spam101

Stupin: Okay.

SPM: Does your pharmacy serve Russia?

Stupin: No.

SPM: Pity. Our providers are very easy to harvest. All three of them.

Stupin: Password is done.

Stupin: Tell us if everything is okay.

SPM: Everything is okay. My GOD, there is even some money there Will you send to my WM?

Stupin: Yes. Let support know, if you need domains,  we can leave one theme for smartphones,  similar to what we have here: http://www.medshop.mobi