FBI Arrests Alleged Head of Mega-D Botnet Operation

The FBI has arrested the man that they allege is behind the notorious Mega-D botnet, which at one point accounted for nearly a third of all of the spam on the Internet. The arrest came to light this week after the man was caught entering the U.S. last month on his way to a car show.

The FBI has arrested the man that they allege is behind the notorious Mega-D botnet, which at one point accounted for nearly a third of all of the spam on the Internet. The arrest came to light this week after the man was caught entering the U.S. last month on his way to a car show.

The man that authorities believe is responsible for controlling the Mega-D botnet is Oleg Nikolaenko, a Russian whom the FBI alleges worked with affiliates in several countries around the world to push a variety of products through spam, including fake watches and herbal supplements. According to an affidavit filed by the FBI in U.S. District Court in Wisconsin and obtained by Krebs on Security, agents got onto Nikolaenko’s trail after one of his alleged associates filled them in on a spam and affiliate marketing scam that he was involved in.

The FBI, in a joint investigation with the FTC and others, had worked to shut down a large spamming operation known as Affking. During the investigation, an Australian man named Lance Atkinson agreed to plead guilty and eventually began telling authorities about his dealings with others in the underground, including a Russian he had worked with and knew as “Docent.”

“In the interview, Atkinson explained his involvement in the Affking and related enterprises, including Affking predecessor companies Genbucks and Sancash. Specifically, he recalled that two of his largest Russian spamming affiliate used the online monikers ‘Docent’ and ‘Dem,'” FBI agent Brent Banner wrote in his complaint against Nikolaenko.

Agents eventually were able to get access to email accounts involved in the payment chain of the affiliate marketing program via a federal subpoena, and found that one of them belonged to Nikolaenko. A search warrant that gave them access to the emails themselves showed conversation between Nikolaenko and another Gmail user the FBI alleges to be Atkinson, in which the two discussed spam operations.

The FBI also found emails which, after an analysis by researchers at SecureWorks, turned out to contain the executable file for the Mega-D malware. Mega-D is the same botnet that security researchers at FireEye took action against in November 2009, sinkholing some of the botnet’s command and control servers and severely crippling its capabalities. In the complaint, Banner says that Nikolaenko was in the United States at the time of the Mega-D takedown and that he left the country two days early, likely to go home and fix the damage caused by the operation.

Nikolaenko is being held in Wisconsin and is expected to make his first appearance in court today, according to a report in the Milwaukee-Wisconsin Journal-Sentinel.

Suggested articles

Discussion

  • dranfu on

    Great job on the article. Thought I was reading the NY Times for a moment.

  • antihacker101 on

    since i been fighting this thing for 4 years, i have to play  this 2 different ways.  one to play it as it seems, and 2, to play it as another psychological decoy.  

    in this battle, i seen it where media and security involved used decoys to redirect everyone from the  truth.     if i was to treat it as it is, i do know the names SEEM legit as though i seen them before.  i know that im the original c & C  and the worm was attempted to be shut down apr first 2 days after the apr fools worm.  it failed and came back 3 days later.   the last couple weeks felt as though im in heaven cause my systems are 10 times faster finaly with no lag.

    BUT  the incoming ips are still going.  i still get around over 2k ips per hour since feb 2009.

    here is a tiny sample

    [INFO]Sun Feb 01 06:56:57 2004Allowed configuration authentication by IP address 192.168.0.100
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:56:16 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:52 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2301
    [INFO]Sun Feb 01 06:55:51 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9090
    [INFO]Sun Feb 01 06:55:51 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9415
    [INFO]Sun Feb 01 06:55:42 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:41 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:54:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:73
    [INFO]Sun Feb 01 06:54:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2301
    [INFO]Sun Feb 01 06:47:40 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:45:21 2004Blocked incoming UDP packet from 217.127.202.113:1029 to 174.39.177.244:137
    [INFO]Sun Feb 01 06:43:25 2004Blocked incoming TCP packet from 184.85.253.93:80 to 174.39.177.244:58716 with unexpected acknowledgement 2292296730 (expected 2292296735 to 2292296736)
    [INFO]Sun Feb 01 06:43:20 2004Blocked incoming TCP packet from 184.85.253.93:80 to 174.39.177.244:58716 with unexpected acknowledgement 2292296718 (expected 2292296730 to 2292296731)
    [INFO]Sun Feb 01 06:42:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2479
    [INFO]Sun Feb 01 06:42:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9090
    [INFO]Sun Feb 01 06:42:42 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:42:38 2004Blocked incoming TCP connection request from 174.39.191.199:54412 to 174.39.177.244:445
    [INFO]Sun Feb 01 06:41:30 2004Blocked incoming TCP connection request from 174.39.137.45:13267 to 174.39.177.244:445
    [INFO]Sun Feb 01 06:41:30 2004Above message repeated 1 times
    [INFO]Sun Feb 01 06:40:49 2004Blocked incoming TCP connection request from 174.39.137.45:9957 to 174.39.177.244:135
    [INFO]Sun Feb 01 06:40:46 2004Above message repeated 1 times
    [INFO]Sun Feb 01 06:40:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:40:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 221.192

    [INFO] Sun Feb 01 06:56:21 2004 Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090

    06:55:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977

    also no one has mentioned the phone systems used as part of the spam.

    and why is security still covering it up.

    the way you can see the traffic is by using a router with a good LOG.

    you can use the active sessions with port 80 to see what is in use.  and go to the site by putting it in before the hash code is removed and see their activity.    i been doing it for some time and thats how i can  see  whats going on.  also id like microsoft and global  security to leave me alone unless your fixing the worm.  but to me, its just a cover up to take blame for the  traffic while pentagon and microsoft plays the good guys...

     

     

    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
    [INFO]Sun Feb 01 06:56:57 2004Allowed configuration authentication by IP address 192.168.0.100
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:56:21 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:56:16 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:52 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2301
    [INFO]Sun Feb 01 06:55:51 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9090
    [INFO]Sun Feb 01 06:55:51 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9415
    [INFO]Sun Feb 01 06:55:42 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:41 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:55:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:55:05 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:54:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:73
    [INFO]Sun Feb 01 06:54:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2301
    [INFO]Sun Feb 01 06:47:40 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:45:21 2004Blocked incoming UDP packet from 217.127.202.113:1029 to 174.39.177.244:137
    [INFO]Sun Feb 01 06:43:25 2004Blocked incoming TCP packet from 184.85.253.93:80 to 174.39.177.244:58716 with unexpected acknowledgement 2292296730 (expected 2292296735 to 2292296736)
    [INFO]Sun Feb 01 06:43:20 2004Blocked incoming TCP packet from 184.85.253.93:80 to 174.39.177.244:58716 with unexpected acknowledgement 2292296718 (expected 2292296730 to 2292296731)
    [INFO]Sun Feb 01 06:42:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:2479
    [INFO]Sun Feb 01 06:42:43 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:9090
    [INFO]Sun Feb 01 06:42:42 2004Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:42:38 2004Blocked incoming TCP connection request from 174.39.191.199:54412 to 174.39.177.244:445
    [INFO]Sun Feb 01 06:41:30 2004Blocked incoming TCP connection request from 174.39.137.45:13267 to 174.39.177.244:445
    [INFO]Sun Feb 01 06:41:30 2004Above message repeated 1 times
    [INFO]Sun Feb 01 06:40:49 2004Blocked incoming TCP connection request from 174.39.137.45:9957 to 174.39.177.244:135
    [INFO]Sun Feb 01 06:40:46 2004Above message repeated 1 times
    [INFO]Sun Feb 01 06:40:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:40:13 2004Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.177.244:8085
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:8090
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:3246
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.177.244:9000
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.177.244:27977
    [INFO]Sun Feb 01 06:39:37 2004Blocked incoming TCP connection request from 221.192

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.