Who controlled the Rustock botnet? The question remains unanswered: Microsoft’s recent takedown of the world’s largest spam engine offered tantalizing new clues to the identity and earnings of the Rustock botmasters. The data shows that Rustock’s curators made millions by pimping rogue Internet pharmacies, but also highlights the challenges that investigators still face in tracking down those responsible for building and profiting from this complex crime machine.
Earlier this month, Microsoft crippled Rustock by convincing a court to let it seize dozens of Rustock control servers that were scattered among several U.S.-based hosting providers. Shortly after that takedown, I began following the money trail to learn who ultimately paid the botnet controllers’ hosts for their services.
According to interviews with investigators involved in the Rustock takedown, approximately one-third of the control servers were rented from U.S. hosting providers by one entity: A small business in Eastern Europe that specializes in reselling hosting services to shadowy individuals who frequent underground hacker forums.
KrebsOnSecurity.com spoke to that reseller. In exchange for the agreement that I not name his operation or his location, he provided payment information about the customer who purchased dozens of servers that were used to manipulate the day-to-day operations of the massive botnet.
The reseller was willing to share information about his client because the customer turned out to be a deadbeat: The customer walked out on two months worth of rent, an outstanding debt of $1,600. The reseller also seemed willing to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs worldwide to block his Internet addresses (several thousand dollars worth of rented servers) shortly after Microsoft announced the Rustock takedown.
I found the reseller advertising his services on a Russian-language forum that caters exclusively to spammers, where he describes the hardware, software and connection speed capabilities of the very servers that he would later rent out to the Rustock botmaster. That solicitation, which was posted on a major spammer forum in January 2010, offered prospective clients flexible terms without setting too many boundaries on what they could do with the servers. A translated version of part of his message:
The reseller said he had no idea that his customer was using the servers to control the Rustock botnet, but he hastened to add that this particular client didn’t attract too much attention to himself. According to the reseller, the servers he resold to the Rustock botmaster generated just two abuse complaints from the Internet service providers (ISPs) that hosted those servers. Experts say this makes sense because botnet control servers typically generate few abuse complaints, because they are almost never used for the sort of activity that usually prompts abuse reports, such as sending spam or attacking others online. Instead, the servers only were used to coordinate the activities of hundreds of thousands of PCs infected with Rustock, periodically sending them program updates and new spamming instructions.
The reseller was paid for the servers from an account at WebMoney, a virtual currency similar to PayPal but more popular among Russian and Eastern European consumers. The reseller shared the unique numeric ID attached to that WebMoney account — WebMoney purse “Z166284889296.” That purse belonged to an “attested” WebMoney account, meaning that the account holder at some point had to verify his identity by presenting an official Russian passport at a WebMoney office. A former law enforcement officer involved in the Rustock investigation said the name attached to that attested account was “Vladimir Shergin.” According to the reseller, the client stated in an online chat that he was from Saint Petersburg, Russia.
A LUCRATIVE PILL-PUSHING MACHINE
As it happens, that same WebMoney account is connected to three of the top promoters of “SpamIt,” a rogue pharmacy program that paid spammers millions of dollars to promote fly-by-night sites that sold counterfeit prescription drugs. SpamIt closed its doors in September 2010 when its alleged leader came under scrutiny from Russian authorities. The SpamIt financial books sent to me by an anonymous source last year include the ICQ numbers, phone numbers and financial account information for hundreds of established criminal hackers and spammers. The SpamIt accounts show that a promoter using the nickname “Cosma2k” who used that WebMoney account was consistently among the top 10 moneymakers for SpamIt, and that he earned more than a half-million dollars in commissions over the course of three years with the pharmacy program.
Yet this appears to be only a fraction of Cosma2k’s total earnings through SpamIt. The pharmacy program’s records show that a Cosma2k affiliate also used at least one other WebMoney account that was shared with two other top SpamIt members, accounts tied to the user names “Bird” and “Adv1.” A review of the account details for all three affiliates show they also all provided the same ICQ number at time of registration. The total commissions from all three user accounts at SpamIt was nearly $2.14 million over three-and-a-half years.
But that’s not all: Those same three affiliate names — Cosma2k, Bird and Adv1 — also were registered using the same ICQ account at Rx-Promotion, a competing rogue Internet pharmacy program. Rx-Promotion suffered a security breach last year in which its affiliate records were taken. A copy of those records was shared with KrebsOnSecurity.com, and they show that these three accounts collectively earned approximately $200,000 in commissions by promoting pharmacy Web sites for Rx-Promotion in 2010.
If Cosma2k really is responsible for Rustock, the payment data suggests either that he was sharing control over the botnet with others, or that he split his promotion activities across multiple accounts, perhaps to keep legions of other affiliates from feeling resentful of his earnings and to avoid calling undue attention to any one account. In fact, the SpamIt account belonging to Bird was by far the highest earning affiliate account in the entire history of program, and Bird routinely earned twice as much in commissions as the next most successful affiliate (which often enough was either Cosma2k or Adv1). In January 2010, for example, the SpamIt records show Bird’s spam generated more than $130,000 in pharmacy sales, while the next most successful affiliate for that month realized about $86,000 in sales.
Alex Lanstein, a network architect at FireEye, a Milpitas, Calif. based security firm that worked closely with Microsoft on the Rustock takedown, said he doubts there were multiple people responsible for running Rustock.
In fact, Lanstein said, bots such as ZeuS and Mega-D have shown that it doesn’t take more than one coder to be wildly successful. “Most people probably assume that to be wildly successful in the world of botnets, you need to have a huge team of programmers. Most malware these days is specialized with only one or two real functions built-in,” Lanstein said. “Why incur of the overhead of splitting profits when a bot operator can pay one-time fees to a 3rd party service and keep the real profit for yourself?”
“Unfortunately the barrier for entry into the malware game is extremely low, and when extradition is difficult, and the criminals avoid affecting computers in their own country, the burden on law enforcement is extreme.”
SOFTWARE GIANT SEEKS BOTMASTER FOR COURTROOM DRAMA
Microsoft also was in communication with my informant reseller, and obtained much of the same data as I did. And the company plans to soon publish at least some of the information, albeit in a rather unusual way. According to Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, the software giant seized the Rustock control servers by securing what’s known as an “ex parte temporary restraining order,” which allowed Microsoft to take down the botnet without giving the defendants advance notice.
But Microsoft is required by law to now make a “good faith effort” to contact the owner(s) of Rustock control domains and other infrastructure the company has since seized, and to notify the individual(s) of the date, time and location of an upcoming court hearing in Seattle, Washington, where the defendants will have an opportunity to be heard.
Microsoft will publish the information on a Web site set up for this purpose – noticeofpleadings.com. The company may also seek to publish the information in one or more major Russian newspapers, Boscovich said.
“We will have to send out a notice to the individual or [group of] individuals we believe is behind the bot,” Boscovich said. “We will probably also serve notice of process in Russian newspapers or in a Saint Petersburg newspaper, saying ‘Hey, Mr. Such-and-Such, there is a court hearing in Seattle on this case and we expect you to be there.'”
It will be interesting to see who, if anyone, responds to the Microsoft notices, and whether the veil of anonymity will be lifted from the pseudonyms of botmasters, spammers, and account holders. Stay tuned!
Impressive work Brian, as always. Your skills would also benefit pulling back the layers of the APT onion.
good writeup brian, it is very interesting read.
If only WebMoney would share the details… Can’t Microsoft or some other US LE agency force them to ? It’s USA after all.
Er..not really. I believe WebMoney is incorporated in Belize.
even if webmoney shared the information my guess is false information and because everyone who doing cybercrime they use false information or such thing called “DROP” , so it’s quiet impossible for someone who could make around 100k++ per month to receive them direct to his name , even a stupid kid wouldn’t do that , so that’s why the microsoft didn’t take over it , and didn’t give it a serious issue , their problem is datacentre and they take it down
I noticed before, when Brian takes more than 2 days break from posting, the next article literally blow heads off. Excellent article, you really set very high standards here. It seems to me the trail is strong enough and if the last 2 actors (Webmoney and Russian Federation Law Enforcement) were persuaded to cooperate, it would be possible to apprehend this individual. Unfortunately, the amount of monies he appears to be making are reducing this possibility to almost zero: he could buy his way out in no time or disappear in some exotic paradise when the pursuit gets hot.
Fantastic article… Great research!
I would have a mellow feeling for a couple of days if the WebMoney folks were taken down and brought forth as criminals. They assisted to bringing all the pain of spam acting as Rustock’s escrow or money tunnel.
I told you at MAAWG in DC, and I remain convinced that this epic story you’ve pieced together will make a fantastic book. And the book will make a fantastic movie. I’m thinking “Bringing Down the House” and “21”. C’mon, do it for your fans!
Wow, that looks like its gonna be good!
And another spammer for that website smears its name in the comments section.
In the overall picture, I can’t help but think that a large part of the problem, other than the bad guys of course, is the number of people duped into a: buying prescription drugs from rogue online pharmacies (who knows what’s in them, where they come from), or b: get their computer compromised making it part of a botnet. To be clear, my point is the bad guys wouldn’t be able to do what they do and make so much money off of doing so if it were not for all the victims who fall for their wares. In all seriousness, my mentality is hell no, it’s MY body and I’ll be damn sure what I’m putting into it (willing to pay more to get something from a brick and mortar pharmacy where I have recourse should something go amiss). It’s MY computer, and like my body, I’m going to protect it and not allow anyone else to fool me into giving up control it! Am I just that cynical/guarded or are people really so ignorant? Wait, don’t answer that (rhetorical question!) 🙂
Extradition is difficult, so please make your own way to Seattle? 🙁
Hah! Thanks for the laugh, Jane.
What a great article, Brian. I am used to timely and thorough information from you, but since I just discovered your blog last year and before 2009 I had only general concerns about security issues, I hadn’t read anything you wrote as a Post reporter. This is amazing, and, like all of your posts, very easy for the lay person to digest.
Thanks for the hundredth-plus time. Now I’m off to dig up some more of your stories…and to click on the “Donate” button. Please don’t ever leave us. 🙂
(I’d buy the book and go to the movie.)
A fascinating article brian.
alot of people from both sides of the ‘moral fence’ read your blog and i must say its a cracker!
Russian citizenship is worth its weight in gold, if you have issues of legalities in your own country. as russia has no extradition treaties. A russian bride may not just be useful for old western socially retarded men!
come to think of that i know russia wont extrodite its citizens what about its citizens via marriage?
Do you know how Rustock was spread? i presume via email spam? and how did this botnet gain the name rustock?
Did anyone here about spamhaus persuing the teenage coder who was behind mail mascot (a desktop mailer sold on blackhat world). although i have a low view on spamhaus anyway posting his name phone number and address (bear in mind hes a very niave student not a spammer) and posting it on there rokso list. a list viewed by lots of anti spammers.
wonder what would happen if the card was turned over and the name address phone numbers of the people behind spamhaus were put on eva pharmacys membership area. (most probably they would be taken into hiding for their own protection).
ahwell good to see your source has completely killed his underground hosting business. Giving out personal information like that (even if the customer is late on payment) is going to lose you all your customer base.
Spammers do post the personal information of antispammers on their forums. But their mailers are still too stupid to stop sending us their spams.
the whole point of honey pots are not to be caught, the way spammers mostly get there leads is via compramised databases or scraped its easy for spamhaus or any other anti spam organisation to create new honey pots.
although there are lists of known honeypots there are always ones which are being created
Good Article Mr. Krebs.
In the base of affiliate program Spamit the mailing address of advert Cosma2k is firstname.lastname@example.org. I have a copy of site ger-mes.ru, now it is disconnected. There was a CV of Cosma2k on it, his photo and real name Dmitry Novgorodtsev.
Yes, that is correct, Bill. I think you’re referring to the following page (I just remembered that I’d taken a screen shot of it when I first saw it).
Here is an even better cache of that page. He claims he wants to work at Google.