June 13, 2012

Pavel Vrublevsky, the co-founder of Russian payment processor ChronoPay, is set to appear before a judge this week in a criminal case in which he is accused of hiring a botmaster to attack a competitor. Prosecutors believe that the man Vrublevsky hired in that attack was the curator of the Festi botnet, a spam-spewing machine that also has been implicated in a number of high-profile denial-of-service assaults.

Igor Artimovich

Vrublevsky spent six months in prison last year for his alleged role in an attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors.

Investigators with the Russian Federal Security Service (FSB) last summer arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky.

As I wrote in last year’s piece, the allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured below) allegedly used to coordinate the DDoS attack against Assist.

Group-IB’s evidence suggested Artimovich had used a botnet he called Topol-Mailer to launch the attacks, but Topol-Mailer is more commonly known as Festi, one of the world’s largest and most active spam botnets. As detailed by researchers at NOD32 Antivirus makers ESET, Festi was built not just for spam, but to serve as a very powerful tool for launching distributed denial of service (DDoS) attacks, digital sieges which use hacked machines to flood targets with so much meaningless traffic that they can no longer accommodate legitimate visitors.

“Topol Mailer” botnet interface allegedly used by Artimovich.

Group-IB said Artimovich’s botnet was repeatedly used to attack several rogue pharmacy programs that were competing with Rx-Promotion, a rogue Internet pharmacy affiliate program long rumored to have been co-founded by Vrublevsky (security firm Dell SecureWorks chronicled those attacks last year).

Artimovich allegedly used the nickname Engel on Spamdot.biz, an online forum owned by the co-founders of SpamIt and GlavMed, sister rogue pharmacy operations that competed directly with Rx-promotion. In the screen shot below right, Engel can be seen communicating with Spamdot member and SpamIt affiliate “Docent.” That was the nickname used by Oleg Nikolaenko, a 24-year-old Russian man arrested in Las Vegas in Nov. 2010  charged with operating the Mega-D botnet.

Engel earned thousands of dollars spamming for both Rx-Promotion and SpamIt, but he abruptly quit the SpamIt program in 2009 after accusing its administrators — Igor Gusev and Dmitry Stupin — of under-counting his sales and commissions. Engel would go off and launch his own forum  — Spamplanet.net — while at the same time using Festi to launch DDoS attacks against SpamIt and GlavMed.

Engel probably regrets those attacks now. As I’ve previously reported, Gusev allegedly paid $50,000 to corrupt officials in Russia to launch a criminal investigation into Artimovich’s activities, and to probe his connections with Vrublevsky.

Interestingly, Engel’s profile on Spamdot.biz lists his email address as “support@id-search.org”. That domain is no longer online, but archive.org reveals that Engel used it as the home base for a bot whose sole purpose was to harvest email addresses from billions of Web pages. Engel claimed publicly that the bot was nothing more than a research project, but privately to Spamdot members he bragged that his search bot could scour hundreds of sites simultaneously and quickly collect “hundreds of megabytes” of email lists.

17 thoughts on “Who Is the ‘Festi’ Botmaster?

  1. george

    Another article for the collection, Brian.
    Interestingly those criminals have to fear more each other rather than be pursued from law-enforcement own initiative. And once the “fees” have been paid, establishing their real identity and apprehending them rarely seems to be a problem.

    1. andrey.tam

      so some how eastern europeans need to survivo,i think its soft enought if eastern europeans romania,ukraine,russia,estonia,latvia,l;ithenue,and else takig just cyber space,,,,so if goverment close this cyber way to make money then all eastern europeans just take gun walking street shooting the pullet some rich WESTERN country problay england to some person head,and take his money and car and evething,,,,,so i think this way is not better,nobody dont get hurt if eastern europeans stealing money from bank accounts,at least they dont kill and hurt someone,couse some western country people dont have idea about 90-s 1990 year,guys we dont want back this times,so this cyber crime its not so bad…offcourse little bit takit down its ok,but to loose this its not good couse if people who have criminal mind cant make money this way they will make another way,i think this way is nice way its not so brutal*

  2. Igor Artimovich

    Thanks, Brian. I liked your article, as it is about me. But only by this reason. Probably, because you are an idiot and write for the same idiots as you which can’t distinguish botnet from minyet (cocksuck). My council to you, my dear dogslover, stop to write about what you don’t understand. I advise you to get the blog under the name krebsonperversions.com and to write there about various sexual perversions. And you will collect considerably large audience, than you can collect by all these computer subjects.
    Specially for hackers it is possible to create the section: sexual perversions of developers of botnets, got stuck in an anal phase of development at postpubertatis age, which you treat. I can advise you the excellent adviser for nonconventional love, the fan of uniform and handcuffs, mister Dadinsky, the employee of the Russian intelligence services. I`m sure that you will find a common language or other parts of a body to write a lot of interesting things in your new blog. I wish you fruitful work in your hard business.
    And if during collecting the material for the next article you break your cock about someone’s strong hairy bum, come to Moscow where the best specialists of the Minzdrav (Ministry of Health) will amputate the damaged part of your body and will establish a prosthesis which, to all other, will be connected to the computer through usb 3.0 that you could jerk off, without tearing off your hands from the keyboard, as since the time of the Washington Post all of us, the admirers of your talent, with huge impatience wait for your new articles.

    All the best, Igor.

    1. BrianKrebs Post author

      Interesting comment, Igor. If my story is so off-base, why don’t you dispute particular parts of it?

      Best of luck in your trial. Thanks for stopping by.

      1. Igor Artimovich

        Dear Krebsy, frankly speaking, I didn’t read this article therefore I can`t discuss it or its part. As the article is about me and also it is advertizing, I considered it necessary to explain to you that for good ads the advertizing platform with large audience is necessary which you don’t have. I also considered necessary to spend the time and to formulate the instructions for you that you could solve a problem of increasing in audience of your blog. After all the large audience is as a big dick, isn`t it, Krebsy!?
        Also don’t worry for my trial, today it is ended. Differently from States in Russia for similar successes people are awarded by the state regard and the Order of Lenin.
        I look forward to prolongation of an exposing cycle of articles about me. And I offer the following subjects: «Igor Artimovich – the head of the Russian FSB», «Which of nuclear bombs thought up Igor Artimovich: Russian or American?», «Igor Artimovich together with the president of Russia seen rising aboard the plane of Barack Obama in Kabul», «Igor Artimovich and Bill Gates. What I learned from their conversations on a technical singularity», «I went in the lift with the person who spoke with the person who saw Mr Artimovich himself», «Revelation. I dreamed about Igor. I reached an enlightenment and left to work as the truck driver». It is weak for you, Briany?

        1. BrianKrebs Post author

          Can’t…stop…laughing. Have you ever thought of doing a comedy tour, Igor. Great material!

          1. none

            Brian, despite his questionable style to voice objections, don’t you think he has a point?
            After all, You’ve posted his personal ID with the government-issued number of passort and stuff. It’s not journalism, it’s pure trash if you ask me.

        2. Tim

          Looks like Google Translate was having a bad day…;-)

      2. andreys

        so,in eastern europe tough life! people are in struggles,and always try to think how to make money.
        but at least no one dont get hurt by cyber crime,couse if there is no cyber crime..still people will make money but onether way,i think for national security its good we have cybercrime,couse people who are in this businesia they are happy they have money and at least they dont kill

  3. infodox

    Above is part of the reason I enjoy reading this blog. The fact botmasters and spammers mentioned actually come here and occasionally give input… Or , in this case, blatant abuse. Makes life more entertaining…

    As for the payoffs to officials to investigate opposition in the market, this strikes me as something very interesting. Surely later on, if you fell out of favor with said corrupt officials, you would have exposed yourself to a whole new onslaught of charges. And what if the other bloke outbids you…

    1. LOL

      … and this is why americans get hacked all the time

  4. Hayton

    No word yet from Pavel Vrublevsky? The court appearance apparently turned into farce. The prosecution for some inexplicable reason tried to charge him with Federal Law 28, which covers drug trafficking. The judge was not at all amused and told the prosecution to go away and do it again, properly. Everything’s adjourned for a while, and Pavel is taking the opportunity to update his blog with colourful sarcasm about the Russian government, the FSB, and Brian.

    Acc0rding to BFM.ru
    there were originally two other defendants – Dmitiri Artimovich (Igor’s brother) and Permiakov Maxim, an ex-FSB officer. They both pleaded guilty.

Comments are closed.