Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

SPAMDOT SECRETS

So where are the clues suggesting that Severa ran Waledac? Krebs On Security also managed to secure a copy of the Spamdot.biz forum, including the private messages for all of its users. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “ip-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other ISPs. The messages indicate that Severa transacted with ip-server to purchase dedicated servers used to control the operations of the Waledac botnet.

In the private message pictured in the screen shot to the left, Severa writes (translated from Russian):

“Hello, writing to your ICQ, you are not responding.  One of the servers has been down for 5 hours. The one ending on .171.  What’s the problem, is it coming up or not, and when?”

ssh 193.27.246.171
ssh: connect to host 193.27.246.171 port 22: No route to host”

Ip-server must have resolved the outage, because the server that Severa was complaining about — 193.27.246.171 — would be flagged a day later by malware analysts, and tagged as a control server for the Waledac botnet.

There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.

In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:

“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”

It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.

Contacted via instant message and presented with the evidence, Severa denied everything, saying he only did small opt-in mailings, had never used a botnet, and had been out of the business for years. When pressed about his fake antivirus affiliate program, Severa said he didn’t realize his antivirus program was fake, and that he didn’t know anyone named Sabelnikov, or even Ralsky. When presented with the screen shot below — which shows Severa complaining on Spamdot about how his broker ran away and that he was faced to find a new sponsor for spamming penny stocks just days after Ralsky’s arrest in Jan. 2008 — Severa said someone else must have been using his Spamdot account.

“The truth is that some people sharing servers, spamdot account and some other forum accounts [in] those years,” he explained. He gave the same reply when asked about the screen shot showing his renting the server used to control Waledac.

Kelihos may not be completely gone. Stone-Gross said he recently uncovered a malware sample that appears to be another installer for Kelihos.

“The guys running these botnets are making lots of money,” Stone-Gross said. “They’re not just going to sit back and say, ‘Oh no, they took down our botnet, let’s give up on our business.’ They’ll use pay-per-install affiliate programs to reinfect more machines and bring the botnet right back up.”

Severa writes: "Because of issues with Ralsky my broker ran away along with two other people who could supply stocks. I am forced to look for new contacts. So -- I AM LOOKING FOR STOCK SPONSOR"

An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

Unfortunately, the other two fake AV affiliate programs had not stored affiliate ICQ numbers in their databases, so we needed to find another basis for examining users of these programs. Instead, we looked for common email addresses among affiliates of the three fake AV programs and for affiliates of Glavmed/Spamit. This is almost certainly a conservative measure of overlap, because miscreants tend to change email addresses more frequently than they adopt new ICQ numbers. Even so, we found that the rate of email address overlap was high, between 19 and 27 percent across all programs:

STRADDLING BOTH WORLDS

A textbook example of this overlap was a key Spamit member, a hacker named “Severa.” Prior to Spamit’s shutdown in September 2010, Severa was a moderator of the “spam” section on the site (like most cybercrime forums, Spamit had sections dedicated to a range of criminal enterprises).

Severa is short for “Peter Severa,” a Russian who is listed at #5 on Spamhaus‘s Register of Known Spam Operations (ROKSO). According to Spamhaus, Severa is one of the longest operating criminal spam-lords on the Internet. Severa advertises his spamming services on several invite-only cyber crime forums.

Until last month, Severa ran a fake antivirus distribution affiliate program called Sevantivir, which seems to have counted among its ranks a large number of Glavmed/Spamit members (Sevantivir is not one of the three fake AV services included in the UCSB study).

It appears that Severa has been using his fake AV affiliate program to generate new infections for the botnet that powers his spamming service. Last month, I reached out to French security blogger Steven K., after reading one of his posts about a different fake AV affiliate program. I showed Steven an easy way to obtain a malware download from the Sevantivir affiliate Web site, and he spent the next couple of days studying the malware.

Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.

Microsoft targeted the Waledac botnet last year in a sneak attack on its control infrastructure. Microsoft does not consider this Kelihos.b worm to be in the same family as Waledac, as claimed by some researchers.  Microsoft states: “Based on our analysis, we have classified this as a new family and not a variant of Waledac. It is important to note that this new family is not communicating with nor is it reactivating the original Waledac which had its command and control infrastructure neutralized last year.”

Stay tuned for the final story in this series, which will look at how recent events have impacted the fake AV industry.

Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm’s network. Anyone attempting to interfere would be subject to arrest and prosecution.

Weeks earlier, Microsoft had convinced a federal judge (PDF)  to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world’s most active spam-spewing crime machine.

In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country.  Microsoft’s plan of attack — which it spent about six months hatching with the help of a tightly knit group of industry and academic partners — was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.

Only two of the control servers were located outside the United States; the rest operated from hosting providers here in the US, many at relatively small ISPs in Middle America.

Concentrations of Rustock control networks.

Microsoft was careful not to make any accusations that hosting providers were complicit in helping the Rustock botmasters; however, some of these control servers existed for more than a year, and most likely would have continued to operate undisturbed had Microsoft and others not intervened. Using data gathered by Milpitas, Calif. based security firm FireEye, which assisted Microsoft in the takedown, I was able to plot the location and lifetime of each control server (the map above is clickable and should let you drill down to the details of each control server; the raw data is here). The average life of each controller was 251 days — a little over eight months.

Wholesale Internet’s Wendel said his organization takes action against any customers that appear to be violating the company’s terms of use or its policies. But he insisted that the visit by Microsoft and the marshals was the first time he’d heard that any of the 16 Rustock command and control servers were located on his network.

“To be perfectly honest with you, we never heard of Rustock until Wednesday,” Wendel said in a phone interview last Friday. Wendel also said he  hadn’t heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks. Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem Internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems.

PUSHING THE LEGAL ENVELOPE

This is not the first time Microsoft has used the courts to kneecap a major spam botnet. In February 2010, Microsoft convinced a court to give it ownership of 276 domain names that were being used to control the massive Waledac botnet.

Seized hard drives. Image courtesy Microsoft.

But Microsoft was forced to go a slightly different legal route in this civil case, said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. Boscovich said the company gained authority for last week’s action by using a novel legal interpretation of The Lanham Act, federal statutes that prohibit trademark infringement, trademark dilution and false advertising.

For years, authorities and companies have used The Lanham Act to get permission to seize a range of counterfeit goods, such as knockoff designer handbags and pirated DVDs. In this case, Microsoft worked with pharmaceutical giant Pfizer, whose brand name blockbuster Viagra was among the trademarks most abused in the millions of spam emails being sent out daily by Rustock-infected PCs. According to a supporting document filed by Pfizer (PDF), company investigators followed the links in the junk e-mails, and purchased pills advertised as Viagra from the rogue online pharmacies linked in the messages.

Boscovich said that in addition to promoting rogue pharmacies, Rustock spam also was pimping lottery scams that abused Microsoft’s trademarks. Microsoft wanted to gather evidence of the spam “templates” (HTML content) the Rustock control servers were forwarding to infected machines for junk e-mail delivery.

“To do that we would potentially have to seize servers or hard drives, and my job as the lawyer on the team was to come up with some sort of legal strategy, because the legal remedy we’d used with Waledac didn’t give us the authority to seize” [physical property],” Boscovich told KrebsOnSecurity.com. “But the Lanham Act has a provision that allows you – under certain circumstances — to seize infringing items without notice, and then hold a hearing on the seizure several days later. So what I did was I used the analog in the cyber world, to get seizure warrants in all of the machines across the country that were [managing] the bots. And there we anticipated we would find templates on those drives with our trademarks and Pfizer’s would be present, and we would seize or copy those drives and that would be the evidence.”

But not everyone is comfortable with Microsoft or any other company pushing the envelope on civil statutes to seize digital equipment, particularly server hardware that may contain data that goes far beyond the scope of the alleged infringement used to justify the seizure order.

“When you treat hard drives as nothing more than a piece of equipment as opposed to a repository of information, some of which may be relevant to the case and some of which is not, you could run into a lot of trouble,” said Marc Rasch, a former computer crimes prosecutor for the U.S. Justice Department.

“We need to have a better, more efficient way of shutting down botnets in the US and internationally,” Rasch said. “I’d prefer that there was a separate remedy at our disposal that had privacy protections built-in.”

THE TAKEDOWN TOLL AND COMING CLEANUP EFFORT

According to the court order, Microsoft also won control over more than 1,500 domain names that Rustock-infected PCs could use to self-generate new control networks. Security experts believe Rustock has a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster(s) to regain control over the pool of still-infected PCs.

Source: CBL

In addition, the takedown effort involved the purchase of an unspecified number of as-yet-unregistered domains that Rustock may seek in the days and weeks ahead. Boscovich declined to say how many of these resurrection domains the company had registered, or for how long into the future it had registered them. But he said Microsoft and its partners in the takedown were seeking help from domain registrars and registries to avoid purchasing more new domains, which he said can become “very expensive” even for a short duration.

The stun against Rustock appears to have worked according to plan, at least for now. A new report published by the Composite Block List (CBL), the anti-spam group that gathers data used by Spamhaus, shows that Rustock had been pushing spikes of spam that regularly account for 80% of all spam. The CBL said this happened almost every other day, with a gradual decline in spam volume over the rest of each day and sometimes into the next.

From the CBL report:

“At 14:45 GMT on March 16, Rustock appears to have been ‘caught’ just at the beginning of one of these spikes, and abruptly and precipitously fell to essentially zero output. The shape of the event is more dramatic than the Rustock ‘vacation‘ during late Dec 2010 and early Jan 2011, and if prolonged, will represent a more significant event than the McColo shutdown in November 2008.”

Microsoft now is turning its attention to cleaning up the substantial pool of Windows PCs that remain infected with Rustock. The company believes upwards of a million computers may still be compromised by Rustock, which the software giant said often comes steeped in a “devil’s brew” of between 16 and 20 other malicious programs.

“We feel confident working with our industry partners that the fallback mechanisms embedded in the malware won’t succeed” [in resurrecting the botnet],” Boscovich said. “Now, our long term objective is to notify ISPs and get them to help clean the infected systems — not only of Rustock but a host of other bad things on them.”

Microsoft said that at the time of the Waledac takedown in February 2010, it observed approximately 70,000 to 80,000 infected IP addresses. “Thanks to clean-up efforts  by the industry and customers, aided  by natural decay, we are currently seeing just over 22,000 Waledac infected  IP addresses, and we expect that number to continue to decline,” the company said in an e-mailed statement.

That cleanup effort could take a long time, even if Rustock does remain inactive. Unfortunately, even if this effort succeeds, there is no guarantee that other botnets won’t arise to fill the gap. Spamming is so profitable that other malefactors will soon jump in. No one has yet devised a long-term, fail-safe solution to the  problem.

Read more about the impact of the Rustock botnet takedown:

FireEye: An Overview of Rustock

Symantec: Has the Rustock Botnet Ceased Spamming?

Trend Micro: The Final Nail on Rustock’s Coffin, or Is It?

Microsoft’s lawyers this week engineered a pair of important takedowns, one laudable and the other highly-charged. The software giant orchestrated a legal sneak attack against the Web servers controlling the Waledac botnet, a major distributor of junk e-mail. In an unrelated and more controversial move, Redmond convinced an ISP to shutter a popular whistleblower Web site for hosting a Microsoft surveillance compliance document.

On Feb. 22, a federal judge in Virginia granted a request quietly filed by Microsoft to disconnect 277 Internet domains believed to be responsible for directing the daily activities of the Waledac botnet, estimated to be one of the ten-largest spam botnets in existence today and responsible for sending 1.5 billion junk e-mails per day. Microsoft said it found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

The takedown, which Microsoft dubbed “Operation b49,” has “quickly and effectively cut off traffic to Waledac at the ‘.com’ or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world,” the company said. From the official Microsoft blog:

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

What praise and adulation the IT industry might heap on Microsoft for this effort, however, may be drowned out by the growing chorus of criticism over Microsoft’s legal victory against a popular whistleblower Web site. Alleging copyright infringement, Microsoft went after Cryptome.org curator John Young on Tuesday after he posted a Microsoft compliance document that the company gives to law enforcement agents seeking information on Microsoft users.

On Wednesday, Cryptome was shut down by its hosting provider, Network Solutions. As wired.com’s Ryan Singel writes, the takedown shuttered “a site that thumbed its nose at the government since 1996 — posting thousands of documents that the feds would prefer never saw the light of day.”

Predictably, the document has since shown up on numerous other Web sites, including Wikileaks.org, and Wired.com. It includes information about the various types of customer information available to law enforcement across Microsoft’s properties, such as Xbox Live. The document, titled “Global Criminal Compliance Handbook,” is worth a read for anyone curious about the types of identifying user information that Microsoft may make available to law enforcement upon request

“On the botnet stuff, Microsoft deserves credit for its strategy and the court deserves kudos for understanding the importance of the case,” former Justice Department prosecutor Mark Rasch said. “The other takedown, though, is unwinable for Microsoft, because it’s a little like wrestling with a pig: You’re just going to make the pig mad.”

Update, 1:19 p.m. ET: ReadWriteWeb is reporting that Microsoft has decided to withdraw the copyright complaint against Cryptome, and that the site is expected to be back online today.