The FBI has arrested the man that they allege is behind the notorious Mega-D botnet, which at one point accounted for nearly a third of all of the spam on the Internet. The arrest came to light this week after the man was caught entering the U.S. last month on his way to a car show.
The man that authorities believe is responsible for controlling the Mega-D botnet is Oleg Nikolaenko, a Russian whom the FBI alleges worked with affiliates in several countries around the world to push a variety of products through spam, including fake watches and herbal supplements. According to an affidavit filed by the FBI in U.S. District Court in Wisconsin and obtained by Krebs on Security, agents got onto Nikolaenko’s trail after one of his alleged associates filled them in on a spam and affiliate marketing scam that he was involved in.
The FBI, in a joint investigation with the FTC and others, had worked to shut down a large spamming operation known as Affking. During the investigation, an Australian man named Lance Atkinson agreed to plead guilty and eventually began telling authorities about his dealings with others in the underground, including a Russian he had worked with and knew as “Docent.”
“In the interview, Atkinson explained his involvement in the Affking and related enterprises, including Affking predecessor companies Genbucks and Sancash. Specifically, he recalled that two of his largest Russian spamming affiliate used the online monikers ‘Docent’ and ‘Dem,’” FBI agent Brent Banner wrote in his complaint against Nikolaenko.
Agents eventually were able to get access to email accounts involved in the payment chain of the affiliate marketing program via a federal subpoena, and found that one of them belonged to Nikolaenko. A search warrant that gave them access to the emails themselves showed conversation between Nikolaenko and another Gmail user the FBI alleges to be Atkinson, in which the two discussed spam operations.
The FBI also found emails which, after an analysis by researchers at SecureWorks, turned out to contain the executable file for the Mega-D malware. Mega-D is the same botnet that security researchers at FireEye took action against in November 2009, sinkholing some of the botnet’s command and control servers and severely crippling its capabalities. In the complaint, Banner says that Nikolaenko was in the United States at the time of the Mega-D takedown and that he left the country two days early, likely to go home and fix the damage caused by the operation.
Nikolaenko is being held in Wisconsin and is expected to make his first appearance in court today, according to a report in the Milwaukee-Wisconsin Journal-Sentinel.
Great job on the article. Thought I was reading the NY Times for a moment.
since i been fighting this thing for 4 years, i have to play this 2 different ways. one to play it as it seems, and 2, to play it as another psychological decoy.
in this battle, i seen it where media and security involved used decoys to redirect everyone from the truth. if i was to treat it as it is, i do know the names SEEM legit as though i seen them before. i know that im the original c & C and the worm was attempted to be shut down apr first 2 days after the apr fools worm. it failed and came back 3 days later. the last couple weeks felt as though im in heaven cause my systems are 10 times faster finaly with no lag.
BUT the incoming ips are still going. i still get around over 2k ips per hour since feb 2009.
here is a tiny sample
[INFO] Sun Feb 01 06:56:21 2004 Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
also no one has mentioned the phone systems used as part of the spam.
and why is security still covering it up.
the way you can see the traffic is by using a router with a good LOG.
you can use the active sessions with port 80 to see what is in use. and go to the site by putting it in before the hash code is removed and see their activity. i been doing it for some time and thats how i can see whats going on. also id like microsoft and global security to leave me alone unless your fixing the worm. but to me, its just a cover up to take blame for the traffic while pentagon and microsoft plays the good guys…