Posts Tagged:

Sep 11

Who’s Behind the TDSS Botnet?

Yesterday I wrote about the public storefront where anyone can rent access to computers infected with TDSS, widely considered one of the largest and most complex botnets on the planet. Today, I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation.

Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including (a clone of, according to a lookup at

Using, I was able to find the historical Web site registration records for (the historical data for is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address Another Web site with that same Google Analytics code, (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008.

WHOIS records also indicate was used to register, a site which is no longer active. The name given by the person who registered was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for, but lists a different contact email address:

Googling for the address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars.

In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a channel belonging to a user named Fizot who designates the domain name as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club.

Fizot’s plates

Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.

Continue reading →