September 7, 2011

Yesterday I wrote about the public storefront where anyone can rent access to computers infected with TDSS, widely considered one of the largest and most complex botnets on the planet. Today, I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation.

Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including (a clone of, according to a lookup at

Using, I was able to find the historical Web site registration records for (the historical data for is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address Another Web site with that same Google Analytics code, (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008.

WHOIS records also indicate was used to register, a site which is no longer active. The name given by the person who registered was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for, but lists a different contact email address:

Googling for the address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars.

In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a channel belonging to a user named Fizot who designates the domain name as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club.

Fizot’s plates

Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.

Update, 2:36 p.m. ET: Getting some additional info from helpful readers. That same Google Analytics code is present on the site, which appears to be a domain name registrar. Also, that same address provided by Fizot at his LiveJournal blog was the email used to register, a VPN service that advertises “full anonymity on the Net.”

Update, 4:54 p.m. ET: It appears that Fizot has deleted nearly all of the posts on his LiveJournal account. I sort of expected he might do that. Here are cached versions of his home page and contact page at LiveJournal. He has also removed all of his Youtube videos, but I made copies of them before I put this story up. Here’s a link to the video that is screenshotted above. In the meantime, Fizot has only one blog entry now at his LiveJournal page, in which he claims to have sold the AWMproxy service long ago. But to whom? Fizot writes:

“I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”

If you liked this story, please consider reading Rent-a-Bot Networks Tied to TDSS Botnet.

60 thoughts on “Who’s Behind the TDSS Botnet?

    1. BrianKrebs Post author

      Thanks, Fil0s0v!

      So, it’s pretty unlikely that Mr. Fizot sold this service like he claims. If one happens to buy a proxy from, one would get a nice follow-up email from Mr. Fizot himself.

      This was sent in response to a purchase made at AWMproxy yesterday:

      Dear ,

      Thank you for your recent purchase using the Online Store.

      Plimus is under contract with AwmProxy to process orders and collect payments.

      If you have any content-related or technical questions about the
      product, only the manufacturer can provide proper support, please
      Name: AwmProxy

      If you contact the seller, please be patient and allow them 2 business
      days to respond.

      If after two business days the issue remains unresolved, Plimus will
      be happy to assist you directly. To make a customer service inquiry
      regarding this purchase please visit:

      We have received your order and your credit card charge has been authorized.

      Use the link below to request product support, see your order
      information online, retrieve your receipt, obtain an official invoice,
      request refund or to have your product/registration keys resent (if
      applicable), do not reply to this email as your reply will go unread:

      We appreciate your business and look forward to serving you again in
      the future. Please find the receipt for your order at the end of this

      Best regards,

      The Plimus Team on behalf of

      IMPORTANT: This charge will appear on your credit card statement as
      “PLI*AWM TEAM”

      Payment Details:

      Order Reference Number:
      Account Number:

      Order Date:

      Product Qty Unit Price Ext. Price
      Awm Proxy $
      Total: $

      Thank You,

      The Plimus Team on behalf of

      1. Aleksey

        So this is how they accept MC and Visa…

        Here’s a list of people who among others are profiting from monetizing the TDSS botnet:

        I just sent Plimus an email asking them to severe their ties with awmproxy and to stop being an accessory to a major online crime. I urge everyone to do the same.

  1. Visgean Skeloru

    Seriously, good work. I would be interested whether those people actually planned these things for a long time or whether they just came into making malware by small steps. I mean if i was going to write some malware I would do it completely anonymously using TOR and I would never used such identity for anything else.

  2. Wladimir Palant

    For reference: Galdziev Chingiz is most likely the transliteration of Чингиз Гальджиев (transliteration leaves some room for interpretation but this is a last name that actually exists). Google even lists some hits for a person with that name but those seem unrelated (this person doesn’t live in Saint Petersburg).

    1. Fil0s0v

      I did the same search on Чингиз Гальджиев, but found no related references.

      1. Wladimir Palant

        There are two entries on Гальджиев Чингиз Михайлович who seems to be living in Elista (Элиста). It’s definitely not a very common last name.

    2. Wladimir Palant

      Brian, the whois data is most likely fake. I’ve seen two places now where fizot calls himself Олег (Oleg). While the address given definitely exists, “Lenin street” is the “default address” for any post-Soviet city. As to the postal code, St. Petersburg’s postal codes start with “19”, never with “15”. Finally, I checked two databases for St. Petersburg and they don’t have anybody with the last name Гальджиев (pretty much everybody with this last name lives in Kalmykia, not in central Russia).

      1. BrianKrebs Post author

        I never believed for a second that the names in the WHOIS data would be useful for anything other than seeing when the same name is used on more than one registration. In this case, the name was unusual enough that I thought it was worth a mention. As you can see, my WHOIS research was based instead on email addresses.

        1. Wladimir Palant

          Yes, that name is very much non-random which is why I bothered looking into it. It is rather strange that he chose a name for fake whois data that really exists but is very rare and concentrated in a region quite different from where he lives. I guess that he used the name of somebody he knew, there is no way he could simply invent it.

      2. Wladimir Palant

        PS: The phone number looks valid – the mobile operator is Beeline St. Petersburg, makes sense. However, it supposedly belongs to a number range that wasn’t assigned before December 5th, 2007 (according to The domain has been created in September 2007 however. But maybe the phone number has been added later, I don’t know.

  3. Aleksey

    A couple of interesting facts on LJ user “fizot”:


    Fizot started making money at the tender age of 6 by selling opposition newspapers.


    Fizot boasts of going from earning just RUR15k/month ($500) and having no sex at all 3 years ago to earning orders of magnitude more, driving a Porsche and having Miss Asia 2008 ( as his primary girlfriend. He attributes his success to attending “pickup training seminars”. :))))


    Fizot is looking to start or purchase a car rental business.


    Fizot was really approving of his president, mr. Medvedev in October 2009


    Fizot was looking for help obtaining US and Canadian visitor’s visas in 2009. (traveling to USA is a very bad idea for mr Fizot in my opinion 🙂


    A short list of what mr. Fizot likes in women 🙂

    1. JCitizen

      Entertaining Aleksey!

      Thanks for those tidbits! Even if they are fictitious!

      1. Aleksey

        Looks like mr. Fizot is not very happy about sudden burst of publicity, he deleted his Livejournal blog already 🙂

          1. TEA-Time

            Ah.. they were disappearing one-by-one. All gone now. Heh

            Just wanna say… Hi Fizot! We’re watchin’ ya! 😉

        1. BrianKrebs Post author

          Yes, the only blog entry left is this one, where he claims he doesn’t run the awmproxy service anymore, that he sold it.

          “I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.”

          So, reasonable question is, to whom did he sell it?

          1. Skull

            Querying for IP on a passive DNS database, these are the records historically pointing there (some are or may be outdated, though):

   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A
   IN A

        2. TEA-Time

          The YouTube videos have been deleted too! Maybe he realized that even a Volkswagen can do donuts on wet pavement.

          1. Neej

            Hahaha, good one. That did actually make me chuckle out loud :p

    2. Aleksey

      …and I can’t skip THIS :)))
      mr. Fizot accidentally slept with 14yr old girl when he was only 19 (a criminal offense in Russia). Since Oleg has deleted his Livejournal, here’s the cached copy of his post:

      Translation courtesy of Google Translate:

      First Field Report
      Ringing handset, display, Adrian: “Oleg, let’s urgent to me, I’m waiting.”
      I went to him, he excitedly running around the room and begins to persuade me to go with him to the Metro Club, and I have not much desire to go there, and I break down. After 20 minutes of persuasion, we are going to iron my shirt, put her hair, etc.
      We go to the Metro Club and along the way, he tells me an interesting story: “There are girls who throw guys like this: He looked about 17-18, but in real life about 14 and they fall under a guy having sex. After a brave guys go, take out her passport, which clearly says that she is 14 years old and you put off any loot, or how mentovku pedophile. ” I grin to myself quietly and do not attach any importance, because long do not believe in girls, who at 14 looks 18. ”
      Up to 23 hours we did not have time to visit a pack of LM, and had to pay 240 p. entrance fee. Before we pay two girls, or rather a girl and a crocodile-girlfriend. I silently note the girl and move on. About an hour once we were in tusim Metro Club, then I do approach the girl, looking for some conversation, “nothing” for 10 minutes, starting unobtrusive film, cobweb. Then offer to move to another place where “good music, cool drinks and hookah” (can not remember who was stolen) and they agree. I called Adrian, and for some reason he looked at the crocodile, such as at length refused to go with us. I had to go alone. By the way, that’s when I realized that the girls feel when they go to someone and why are they so afraid of a date on the first smoke hookah at my house.
      Decide who to go and I did not long resist, I went to see him. In the dorm room to have few prospects: first, it was already over an hour and dormitory was closed, yet the fact that they start up, and I did not know what to do with the crocodile (gangbang does not roll).
      As emerged from the club immediately began her kinestetit already stepping over the scope of the SDP.
      She gave 250 rubles. taxi driver because he drove us to the subway to Nevsky Club (actually worth no more than one hundred square meters), at first I wanted to pay, but he had no change from 1000. In the taxi, I learned that they were 16 years old, and I am genuinely surprised because it looked at least 17-18, and that they are not from St. Petersburg and came to rest here for a week.
      I was amazed when I saw that they live right on the Nevsky Prospect and flat with telecom in every room, with plush trahadronami, but on Nevsky other does not happen, I guess.
      She took the wine and play music, after which I began it hard kinestetit, completely ignoring the presence of a crocodile. The girl willingly responded to the kiss, gave full access to the bottom, and let the breast is not happy. When I started to undress her slowly, she began to break, like her boyfriend in the army and she promised to wait for him.
      Another 15-20 minutes kinesthetics and we went into the room.
      The girl’s great, very experienced and is the youngest of them all.
      After the bed she went into the bathroom to bathe, and I sat on the sill and breathed air. 15 minutes it goes sharp and business-like tone says: “Oleg, let’s go have a conversation.”
      I did a lot of his childhood in what should not, and often heard similar phrases and similar tone, usually meant that I was “fucking.” But in that tone I heard that I was “full of fucking”
      We went into the room, and she began to rummage through things, looking for something, finally got a passport and gave me. So fast I did not once deducted from 2006-1992, it appears that she is 14 years old! I was shocked and fell just a few minutes, thinking that now will pay in the form of uncles, who I quickly explain that you have to pay for pleasure or to sit for corruption of minors (pedophilia) for 135 article.
      I was paralyzed for 2 minutes, and I was a moron like listening to the beating of my heart. I already figured that once the case was removed for not quite a cheap apartment, so I did not divorce for 5 cents. Has become a figure out that I was on the second floor and knocking out the glass can jump out the window, but you have to grab a condom.
      Then, seeing that no one, he asked:
      – And then what?
      – Nothing.
      Then I realized that I badly want to walk. We went for a walk along Nevsky Prospekt at 4:00 am, why I was just indescribable pleasure and great communication.
      Nevsky at 4:00 is super, one of the places kryshesnosnyh Peter, just beautiful.

      PS> This is the first Field, so I will be happy all the commentary!

      1. Wladimir Palant

        Aleksey, you actually should have skipped this. The story doesn’t make sense in a bunch of places, I am pretty certain that it is pure fiction (just like his “primary girlfriend”).

        1. Aleksey

          Agreed, now I realize this comment was in bad taste. It may or may not be truth, but it has little relevance.

      1. Aleksey

        Both and mamba profiles are deleted now. Did anyone make screenshots?

          1. Aleksey

            The photo matches the likeness of the driver of 911 in the YouTube clip (I wish I saved that one)

      1. JCitizen

        A very good collection of card reader scam videos there also Brian. Thanks for the link!

    1. Aleksey

      Whoever can track down Dmitri Sergeev AKA Cosma2k and drag him into US jurisdiction somehow or help have him extradited can claim this reward. This thread is about TDSS, a botnet different from Rustock.

  4. Chasm

    Dude, it’s not a Porsche. More like an early 90’s Celica with a Porsche license plate frame.

    1. TEA-Time

      Ah.. good eye! According to a Google Image search (take note, thumb downer) it’s definitely a ~1993 – 1999 Celica with the nose badge removed. Strangely, I’m seeing two different designs for ’93s, but the ’94s – ’99s are definitely that design. I initially thought maybe the 98 on the right of the plate might be the year, but that’s apparently the city number after a little bit of Russian plate research.

      1. Aleksey

        Definitely “98” means “Leningradskaya Oblast'” in this context, not year 1998

    2. BrianKrebs Post author

      Looks like you may be right. I’ve amended the above story with a strikethru through the Porsche comment.

  5. george

    A filthy, stupid criminal with a penchant for public bragging all over the web – not a happy combination for him, I’m afraid (not!).
    Thank you, Brian once again you (and some noted commentators in your column) made my day. Just to see how this scum is scrambling to delete ramblings he unwisely left around reminds me of rats or cockroaches running when exposed from under a overturned rock. Priceless !!!
    I have a personal grudge about those.
    My children computer had been recently infected with TDSS-4. Fortunately it was easy to remove since the the computer was tweaked with read-only Registry and C: drive, it only encroached into MBR – using Kaspersky Live CD. I read on the Internet other had more trouble removing it from both locations.

  6. Belka

    In Russia, authorities offer license plates with certain numbers. They
    are meant for official use only, and signal to traffic police that the
    person in the car is on sensitive, official business and should not be
    stopped. Unfortunately, with corruption these plates can be bought to
    avoid traffic rules. One can also buy the blue flashing lights called migalki which allow one to cut through traffic. (more in English here – I do not know the exact code by which all are allocated, but signs that the plates are “special” often include double letters, like CC, and/or triple numbers, such as 666. I do not know how Fizot got his plate number, ut he may well have bribed security officials. Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.

    1. Aleksey

      Belka, you touch on a complex subject. In general, Russian license plates format is xNNNxx YY(Y) where “x” are letters that are shared between Cyrillic and Latin character sets. NNN is a three digit number and YY(Y) is a region code. The region code simply specifies which geographic location the car is registered at. The key to reading the number is the alphabetical part. There are certain combinations that are assigned to various law enforcement agencies and other combinations that are simply cool to have. I used to live in Moscow in the 90s, and back then one of the coolest combinations was “ooo” (like “0666oo77”). Now the most prestigious one (from what I heard) is “AMP”. Back in the 2000s the combination “EKX” was pretty cool. Obviously these license plates are a thriving corruption market and one can pay a good price for a cool license plate. The numbers are also for sale, and in my estimation getting “666” number would cost someone between RUR 5k-10k ($170-$340) today.

      1. who cares

        I was offered 666 for free when registered my car in Moscow. Apparently nobody wants this number, and officials are kind enouht to not to issue this number forcibly. Other xxx numbers would cost about 5-10 times more than you think. People from Caucasus are especially fond of such plates.
        You’re right, xxx numbers are just fancy toys. The Real Numbers are AMP, EKX, ХКХ, САС, ССС and a few other.

    2. AlphaCentauri

      “Its bad enough when movie directors and business executives do it. If security forces sell special protection plates to criminals its doubly so.”

      Criminals don’t exist in isolation, so it’s not as simple as saying they are issuing special plates to criminals. Who are his parents and siblings? Maybe he’s a family member of a VIP.

      If the FSB is so busy “milking” people accused of crimes, one can only imagine how amoral the children of their agents turn out.

      1. Aleksey

        I don’t think Oleg “Fizot” Krugov has anyone important among his relatives. He’s a lowlife, a nobody who came into certain money by engaging in online crime. His obsession with expensive cars, high-profile girls, money and other symbols of wealth is a good indicator of a low status and misery. Fizot is a typical loser.

  7. KFritz

    The possible/potential repercussions from this ‘outing’ will be interesting to watch. The powers that be in Russia and the other cybercrooks who are quietly harvesting millions in theft earnings won’t be happy about this attention a ‘tall. To his ‘credit,’ this gangster had the sense to hit the delete button instead of reveling in the attention, a la Vrublevsky. He’ll still be lucky to escape with a stern ‘talking to.’ And word will probably spread that online braggadocio attracts attention and is bad for business.

    Stay tuned.

  8. T.Anne

    I think this is great! I can’t believe people leave such ways to link them to things all over the net… I’d think if you know you’re doing something even remotely questionable you’d be more cautious about it. I also think that all the deleting of things that he has been doing points more towards his guilt than him being innocent.

  9. Iustin

    After a google search of : , I’ve found something interesting on this website :

    it points like on 9th september user fizot was accesed from this ip:
    9-Sep-11 15:51 fizotik_fizot Russian Federation Evidence
    9-Sep-11 15:42 fizotik_fizot

    After doing a whois research on this IP i’ve found these details:

    IP address:
    IP country: Russian Federation
    IP Address state:
    IP Address city:
    IP latitude: 60.0000
    IP longitude: 100.0000
    ISP: CJSC Caravan-Telecom
    Organization: PH1340-COUNTER

    I assume he was using a local proxy accesing that account lately tunneling on metropolitan to have a good internet speed average.
    Regards, Iustin.

    1. Wladimir Palant

      Actually, has a number of entries for this email address, all from September 8th and 9th. Most IP addresses are from the same Caravan Telecom range, that company provides internet access to businesses in Moscow. Other IP addresses seem to belong to proxies (botnet participants?) around the world.

      I had a look at the “evidence”. Here it is:

      username: fizot
      User Email:
      User ICQ:173358888
      User AIM:
      User MSN:
      User Yahoo: cikifriki
      Location: Romania
      Occupation: Banking, mortgage
      Interests: Religion, spiritual
      User Signature:

      I guess that he is spamming forums with his data to make searching for his email addresses harder. Interestingly, if you search for that Yahoo nick you will find tons of forum spam (the forum profiles I looked at were created in July).

  10. Wladimir Palant

    fizot seems to have started as a PHP developer. His learning experience:

    And here he is advertising his services:–1200.46207/

    Note his ICQ number, that’s how I found the post (which has been deleted two days ago but is still visible in Google cache – he didn’t bother deleting everything else he posted under the name “melkiy” however). So he previously owned and domains (the former is confirmed by

    Here is looking for a C programmer: (same ICQ number). Note that he gives the name Oleg but email address is (Александр Зибров). Here is his profile:, apparently he works for in Moscow.

    Here is a forum topic about awmproxy: Another forum participant claims that fizot is simply reselling proxy lists he bought from him (deleted again, use Google cache). That forum participant also lists the various nicks used by fizot.

  11. roflem

    Came late to the show….missed the beer and popcorn but the film is still the best of the best! I love how these fugtards blow themselves out of the water, have seen it myself many times before but in Romania with hi5! Brian I bet he is extremely media-whorish go visit him with Charles:-)
    what a delight to see this happen in real time and thanks to AKL and Aleksey and all the other pokers: this was a good movie!!

  12. Vincent

    Do we know who is utilizing the awmproxy service or what, exactly, it is being used for? I imagine anyone with an inclination to perform illicit activity is simply going to use Tor, their own list of hijacked systems, public proxies, etc. I guess I’m interested in who would actually pay, a fairly substantial amount of money, to utilize this service?

    1. Jack

      The majority of hacked machines belonging to this botnet will be utilizing residential ISP’s and the IP addresses will mostly be undetected as proxy/anonymity networks. Therefore renting access to tens of thousands of residential undetected IP addresses would be a fraudsters wet dream due to the ability to trick anti-fraud systems into thinking the order is coming from a legitimate internet connection. For example if you are a carder from Russia, a website will unlikely accept an order from a Russian IP address with a USA credit-card, and unlikely to accept an order coming from an anonymity network, but would likely accept the order if it was coming from a legitimate looking residential US IP address.

Comments are closed.