Posts Tagged: livejournal


7
Sep 11

Who’s Behind the TDSS Botnet?

Yesterday I wrote about the public storefront where anyone can rent access to computers infected with TDSS, widely considered one of the largest and most complex botnets on the planet. Today, I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation.

Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — awmproxy.net — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including awmproxy.com (a clone of awmproxy.net), according to a lookup at ReverseInternet.com.

Using domaintools.com, I was able to find the historical Web site registration records for awmproxy.com (the historical data for awmproxy.net is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address fizot@mail.ru. Another Web site with that same Google Analytics code, pornxplayer.com (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008.

WHOIS records also indicate fizot@mail.ru was used to register fizot.com, a site which is no longer active. The name given by the person who registered fizot.com was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for fizot.org, but fizot.org lists a different contact email address: xtexgroup@gmail.com.

Googling for the fizot@mail.ru address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of xtexcounter@bk.ru. Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars.

In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a Youtube.com channel belonging to a user named Fizot who designates the domain name fizot.com as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club.

Fizot’s plates

Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.

Continue reading →


17
Jun 10

Drug Charges Against Accused AT&T/iPad Hacker

A hacker in a group that discovered the AT&T iPad-related flaw was arrested on drug charges following the execution of an FBI search warrant of his home in Arkansas on Tuesday, according to published reports.

CNET’s Elinor Mills writes that the FBI found a broad selection of narcotics at the home of a man tied to “Goatse Security,” the group that recently claimed responsibility for extracting contact information on more than 114,000  iPad customers from AT&T’s Web site.

From the CNET story:

Andrew Auernheimer, 24, was being held in Washington County Detention Center in Fayetteville, Ark., according to Lt. Anthony Foster of the Washington County Sheriff’s office in that state. The drugs were found during the execution of the warrant, said Lt. Mike Perryman, of the Fayetteville Police Department. However, Perryman could not say what prompted the warrant.

Auernheimer, who goes by the name “Escher” and the hacker handle “Weev,” faces four felony charges of possession of a controlled substance and one misdemeanor possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, he said.

Spiegelmock and Auernheimer speaking at Toorcon 2006

Auernheimer is quite a colorful character. I met him in 2006 at the Toorcon security conference in San Diego, where he and Mischa Spiegelmock – an employee for blogging service LiveJournal – were delivering a talk on what they claimed was an unpatched security flaw in Mozilla’s Firefox browser that hackers were supposedly attacking to compromise Web surfers. At the time, Auernheimer introduced himself as Andrew “Weev” Wbeelsoi.

That presentation — which called on security researchers everywhere to stop publicizing and fixing software security vulnerabilities — was at times hilarious and bizarre. Weev started out by informing the audience that he was delivering his speech while tripping on acid. When I followed up with Weev after that talk to get more details on their claims, it was fairly plain that he wasn’t kidding about the acid trip. However, the two hackers would later admit to me that they didn’t really have the zero day exploits that they claimed, and that they were just trying to have a little fun with the security industry.