Posts Tagged: pavel vrublevsky


19
Aug 11

Pharma Wars, Part II

Earlier this year, Russian police arrested Dmitry Stupin, a man known in hacker circles as “SaintD.” Stupin was long rumored to be the right-hand man of Igor Gusev, the alleged proprietor of GlavMed and SpamIt, two shadowy sister organizations that until this time last year were the largest sources of spam touting rogue Internet pharmacies.

According to several sources who are familiar with the matter, Russian police pulled Stupin off of a plane before it left Moscow. The police also reportedly took Stupin’s MacBook and copied its contents. The police detained Stupin as part of an investigation into Gusev launched nearly a year ago. Gusev fled his native Moscow last year and has not returned.

Sometime in the past few days, more than four years’ worth of chat conversations — apparently between Stupin, Gusev and dozens of other GlavMed employees — were leaked. Those conversations offer a fascinating glimpse into the day-to-day operations one of the world’s largest cyber criminal organizations.

The chat logs also catalog the long-running turf battle between Gusev and his former business partner, Pavel Vrublevsky. The two men were co-founders of ChronoPay, one of Russia’s largest online payments processor. Vrublevsky is now in jail awaiting trial on charges of hiring a hacker to attack his company’s rivals. He also has been identified as a co-owner of a competing rogue pharmacy program, the now-defunct Rx-Promotion.

I have had numerous interviews with both Gusev and Vrublevsky, both of whom accuse one another of bribing Russian law enforcement officials and politicians to initiate criminal proceedings against each other.

While there is no direct evidence Vrublevsky paid for a prosecution of Gusev, documents stolen from ChronoPay last year by hackers indicate that the company arranged to pay the salaries of several people on the Russian Association of Electronic Communications (RAEC). Those same documents show that Vrublevsky and RAEC members were closely involved in the investigation into Gusev the months and weeks leading up to the official charges against him.

The chat records between Stupin and Gusev, a tiny sliver of which is translated here from Russian into English, suggest that the two men paid authorities for protection. Contacted via email, Gusev declined to say whether the chats logs were legitimate or comment further, explaining that he was still reviewing the documents.

“If at least some of these logs are legit, then it means that I was telling the truth about paid criminal case against me initiated by Pavel and his constant connection with investigators,” Gusev said. “I know for sure that Pavel had access to evidences which were gathered by the investigators while he shouldn’t have such access. Before I just didn’t have any proof for this. Now I have.”

The latest leaked archive contains more than 166 megabytes of chat logs, allegedly between Stupin, Gusev and others. The following chat log is dated Aug. 28, 2010, just days after Vrublevsky leaked the SpamIt and GlavMed affiliate and customer data to U.S. law enforcement agencies. In this conversation, Stupin and Gusev allegedly discuss whether to close SpamIt (SpamIt would be closed a month later). “Red” in the first sentence is a reference to Vrublevsky, well known to use the hacker alias “RedEye.”

Gusev: It looks like I am in deep shit.  Red gave our database to Americans.

Dmitriy Stupin

Stupin: To which Americans?

Gusev: I can’t tell exactly, yet. Probably to FBI or Secret Service. Have you read on Krebs’ blog about meeting at White House regarding illegal pharmacy problems on the Internet?

Stupin: No.

Gusev: http://krebsonsecurity.com/2010/08/white-house-calls-meeting-on-rogue-online-pharmacies

Stupin: Maybe you return back to Russia?

Gusev: I am planning to do that. I am really worried now :(

Stupin: What about Red? For that money. May be let’s close down everything?

Gusev: In any case, he will be squished to the end. Everything is done pretty properly. Chronology: – He got thrown out from major banks (Masterbank, Bank Standard and almost from UCS. Too many clients left him. Investigations have been made on data regarding processing. Major issue now – close down the channel via Azerbaijan  (the only place where he can do his own processing and processing for his clients). We need him have an acute issue with money, otherwise he is going to slow down the investigation as much as he can.

Gusev: Do you think “closing down” will help? Just realize: they have our ENTIRE database… there are 900,000 records. What are we going to do with those? For conviction and 5-year jail time it is only necessary to prove 1 transaction! What is the worst? They combine the sentences and it is possible to get 5 life sentences.

Stupin: I think yes, we will receive lower priority.

Gusev: And who is considered a high priority? I am trying to figure out how he gave us up, and do the same for him. There will be 2 cases instead of one.

Continue reading →


3
Aug 11

Fake Antivirus Industry Down, But Not Out

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

A notice to BestAV affiliates

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

“Dear advertisers: Last week was quite complicated. Well-known force majeure circumstances have led to significant sums of money hanging in the banks, or in processing, making it impossible to pay advertisers on time and in full.”

The disruption appears to be partially due to an international law enforcement push against the fake AV industry. In one recent operation, authorities seized computers and servers in the United States and seven other countries in an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake AV.

There may be another reason for the disruption: On June 23, Russian police arrested Pavel Vrublevsky, the co-founder of Russian online payment giant ChronoPay and a major player in the fake AV market.

Black Market Breakdown

ChronoPay employees wait outside as Moscow police search the premises.

Vrublevsky was arrested for allegedly hiring a hacker to launch denial of service attacks against ChronoPay’s rivals in the payments processing business. His role as a pioneer in the fake AV industry has been well-documented on this blog and elsewhere.

In May, I wrote about evidence showing that ChronoPay employees were involved in pushing MacDefender — fake AV software targeting Mac users. ChronoPay later issued a statement denying it had any involvement in the MacDefender scourge.

But last week, Russian cops who raided ChronoPay’s offices in Moscow found otherwise. According to a source who was involved in the raid, police found mountains of evidence that ChronoPay employees were running technical and customer support for a variety of fake AV programs, including MacDefender. The photograph below was taken by police on the scene who discovered Website support credentials and the call records of 1-800 numbers used to operate the support centers.

Continue reading →


24
Jun 11

ChronoPay Co-Founder Arrested

Russian authorities on Thursday arrested Pavel Vrublevsky, co-founder of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals.

An undated photo of Vrublevsky

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

Russian state-run news organizations are reporting that Vrublevsky was arrested on June 23. Financial Times reporter Joe Menn writes that Vrublevsky was ordered held without bail and a hearing was set for a month’s time.

Continue reading →


23
Jun 11

Financial Mogul Linked to DDoS Attacks

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.

KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.

In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.

According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.

"Topol Mailer" botnet interface allegedly used by Artimovich.

The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).

This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003. Continue reading →


3
Mar 11

ChronoPay’s Scareware Diaries

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

Continue reading →


25
Feb 11

Pharma Wars

How do you chronicle the struggle for control of an underground empire when neither combatant wants to admit that he is fighting or even that a war is underway? That’s the nature of a business-feud turned turf-war that is playing out right now between the bosses of two of the Internet’s largest illicit pharmacy operations.

On Thursday, I wrote about an anonymous source using the pseudonym “Despduck” who shared a copy of the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet. The database indicates that Glavmed processed in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010.

Despduck first proffered the Glavmed data through a mutual source in the anti-spam community, and claimed that the alleged owner of the pharmacy program, a Russian businessman named Igor Gusev, would soon be charged with illegal business activities. Sure enough, near the end of September 2010, Russian officials announced a criminal investigation into Gusev and his businesses. Shortly after those charges were brought, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other pharmacy networks.

Gusev is now in exile from Russia; he blames his current predicament– and the leak of the Glavmed data — on his former business partner, fellow Muscovite Pavel Vrublevsky. The latter is a founder of Russian e-payment giant ChronoPay, a company Gusev also helped to co-found almost eight years ago (according to incorporation documents I obtained from the Netherlands Chamber of Commerce — where ChronoPay was established — for a time Gusev and Vrublevsky were 50/50 partners in ChronoPay).

As reported in my story earlier this week, tens of thousands of internal documents and emails stolen from ChronoPay and leaked to key individuals suggest that Vrublevsky is managing a competing online pharmacy network called Rx-Promotion. It turns out that the Glavmed database was stolen at about the same time as ChronoPay’s breach.

Vrublevsky denies being the source of the purloined Glavmed/SpamIt database, but the bounty of leaked ChronoPay documents suggests otherwise. Included in the email records are messages sent to and from an inbox that used the display name “Kill Glavmed.” What was the email address tied to that name? “Despduck@gmail.com,” the very same address used to communicate with my anti-spam source.

Continue reading →


24
Feb 11

SpamIt, Glavmed Pharmacy Networks Exposed

An organized crime group thought to include individuals responsible for the notorious Storm and Waledac worms generated more than $150 million promoting rogue online pharmacies via spam and hacking, according to data obtained by KrebsOnSecurity.com.

In June 2010, an anonymous source using the assumed name “Despduck” began an e-mail correspondence with a key anti-spam source of mine, claiming he had access to the back-end database for Glavmed, a.k.a. “SpamIt”, until recently the biggest black market distributor of generic pharmaceuticals on the Internet.

Source: M86 Security Labs

If you received an unsolicited email in the past few years pimping male enhancement or erectile dysfunction pills, chances are extremely good that it was sent compliments of a Glavmed/Spamit contractor or “affiliate.” According to M86 Security Labs, the sites advertised in those Glavmed/Spamit emails — best known by their “Canadian Pharmacy” brand name — were by far the most prevalent affiliate brands promoted by spam as of June 2010.

Despduck said he could deliver data on hundreds of thousands of consumers who purchased pills through Glavmed’s sizable stable of online pharma shops, as well as detailed financial records of Glavmed/SpamIt affiliates who earned thousands of dollars of month promoting pharmacy sites using spam and hacked Web sites.

After many months of promising the information, Despduck finally came through with a 9-gigabyte database file that contained three years worth of financial books for the massive illicit pharmacy network. My source shared the data with several U.S. law enforcement agencies, and ultimately agreed to share it with me.

The database reads like a veritable rogues gallery of the Underweb; In it are the nicknames, ICQ numbers, email addresses and bank account information on some of the Internet’s most notorious hackers and spammers. This huge cache of information shows that over the course of three years, more than 2,500 “affiliates” earned hefty commissions promoting Glavmed’s pharmacy sites.

In total, these promoters would help Glavmed process in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million.

Continue reading →


21
Feb 11

Russian Cops Crash Pill Pusher Party

I recently returned from a trip to Russia, where I traveled partly to interview a few characters involved in running the world’s biggest illicit online pharmacies. I arrived just days after the real fireworks, when several truckloads of masked officers from Russian drug enforcement bureaus raided a party thrown exclusively for the top moneymakers of Rx-Promotion, a major e-pharmacy program co-owned by one of the men I went to meet.

Chronopay founder Pavel Vrublevsky, at his office in Moscow

Within a few hours of my arrival in Moscow, I called Pavel Vrublevsky, the founder of ChronoPay, Russia’s largest processor of online payments. For years, I had heard that Vrublevsky was known online as “RedEye,” and that Rx-Promotion was using ChronoPay as the core credit card processor. Unlike other rogue Internet pharmacies, Rx-Promotion’s claim to fame is that it is one of the few that sells controlled substances, such as addictive painkillers like Oxycontin, Oxycodone and Codeine over the Internet without requiring a prescription.

Late last summer I came into possession of a mountain of evidence showing that not only is ChronoPay the core credit card processor for Rx-Promotion, but that Vrublevsky also is co-owner of the pharmacy program and  that ChronoPay executives have steered the pharmacy’s activities for some time.

In mid-2010, ChronoPay was hacked, and many of the company’s internal documents were posted on random LiveJournal blogs and other places that were mostly shut down shortly thereafter. But a much larger cache of tens of thousands of ChronoPay e-mails, and thousands of recorded phone calls and documents were siphoned from the company and distributed to a handful of people, including me.

Among the few others who have these documents is Igor Gusev, an early co-founder of ChronoPay and the man now charged by Russian officials as the owner of a competing online pharmacy affiliate program called Glavmed. Gusev is currently trickling out the leaked ChronoPay documents in a Russian language blog about Vrublevsky called Redeye-blog.com, mainly because he believes Vrublevsky was responsible for helping to bring the charges against him.

I told Vrublevsky that I’d also received the cache of stolen data, and as a result he has been calling me almost daily for the past eight months. His goals: To keep tabs on my activities and to learn tidbits about others in his industry. But most of all, Vrublevsky has acknowledged he’s been hoping to feed me tips that would lead to other stories that aren’t about him or what’s in those documents.

Some of what he’s told me has checked out and has indeed been useful. Yet, now that I’ve had time to pore over these documents and emails in detail (almost all of them are in Russian), a much clearer picture of Vrublevsky and his businesses is beginning to emerge.

My analysis indicates that in 2010 alone, Rx-Promotion sold tens of millions of dollars worth of generic prescription drugs (mostly to Americans), including millions of controlled pills that have high resale value on the street, such as Valium, Percocet, Tramadol, and Oxycodone. And yes, buyers are getting more or less what they’re seeking from this program, contrary to popular perception (more soon on how I know that).

I hadn’t told Vrublevsky that I was coming to Russia before I arrived on Feb. 8. But I wasted no time in phoning him via Skype, using the line he normally calls me on several times a week.

“Duuuuuuuudddde!,” he answers. “It’s 7 a.m. where you are, who died?”

Continue reading →


29
Dec 10

Russian e-Payment Giant ChronoPay Hacked

Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data.

Reached via phone in Moscow, ChronoPay chief executive Pavel Vrublevsky said the bogus payment page was up for several hours spanning December 25 and 26, during which time the attackers collected roughly 800 credit card numbers from customers visiting the site to make payments for various Russian businesses that rely on ChronoPay for processing.

In the attack, ChronoPay’s domain was transferred to Network Solutions, and its domain name system (DNS) servers were changed to “anotherbeast.com,” a domain registered at Network Solutions on Dec. 19, 2010.

The attackers left a message on the ChronoPay home page – designed to look as if it had been posted by Vrublevsky (see image above) – stating that hackers had stolen the personal data of all ChronoPay users who had shared payment information with the company in 2009 and 2010.

Vrublevsky said the message was faked — that it was “absolutely not true” — and that the damage was limited to the 800 card numbers. He added that the company was still working with its registrar Directnic and with Network Solutions to understand how the attackers managed to hijack the domain.

The hackers also stole and posted online at least nine secret cryptographic keys ChronoPay uses to sign the secure sockets layer (SSL) certificates that encrypt customer transactions at chronopay.com. Vrublevsky said all but one of those certs were issued long ago: One of the certs was issued in September, albeit with an older key, he said.

Continue reading →


30
Oct 10

Bredolab Mastermind Was Key Spamit.com Affiliate

The man arrested in Armenia last week for allegedly operating the massive “Bredolab” botnet — a network of some 30 million hacked Microsoft Windows PCs that were rented out to cyber crooks — appears to have generated much of his clientele as an affiliate of Spamit.com, the global spamming operation whose members are blamed for sending a majority of the world’s pharmaceutical spam.

Armenian authorities arrested 27-year-old Georg Avanesov on suspicion of being the curator of Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers used to direct the botnet’s activities. In tandem with the arrest and the unplugging of those servers, Dutch service providers began redirecting local Internet users to a disinfection and cleanup page if their PCs showed signs of Bredolab infections.

Investigators allege that Avanesov made up to US$139,000 each month renting the botnet to criminals who used it for sending spam and for installing password-stealing malicious software. Avanesov, who is thought to have made millions over a career spanning more than a decade, was arrested after hopping a flight from Moscow to his home in Yerevan, Armenia’s capital.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said Avanesov frequently used the hacker aliases “padonaque” and “Atata,” and for many years used the e-mail address “i.am@padonaque.info.” The domain padonaque.info has long been associated with a variety of malicious software families, and the malware that once called home to it reflects the varied clientele that investigators say Avanesov attracted over the years.

Atata’s ICQ Avatar

According to information obtained by KrebsOnSecurity, that e-mail address and Atata nickname were used to register at least two affiliate accounts at spamit.com. With online pharmacy sales generating him less than $2,000 each month over the last several years, Atata wasn’t pulling in anywhere near as much as the top earners in the program, some of whom earned six figures monthly promoting counterfeit pills via spam. But Takkenberg and others say it is likely that Atata used Spamit as a place to sign up new customers who were interesting in renting his Bredolab botnet to promote their pharmacy sites.

“The main thing he did was build this botnet — mainly using a lot of hacked Web sites,” Takkenberg said. “Then he sold parts of that botnet to other clients of his, who could upload their own malware loaders, FTP [password] grabbers, whatever they wanted.”

Continue reading →