A Krebsonsecurity piece looks into the unknown party behind the Rustock botnet, and whether it may have been operated by just one person.
By interviewing investigators involved in the takedown, a joint operation carried out by Microsoft, FireEye, and various law enforcement agencies, Krebs determined that a third of the command and control servers were rented from American hosting providers by one small business. Based in Eastern Europe, the business specializes in reselling hosting providers in online criminal forums.
The man behind this operation, who Krebs found in one such Russian forum, claims his business and servers are legitimate, and that his responsibility to the data-centers is to insure that they follow the terms of service. He agreed to an interview with Brian Krebs on grounds that Krebs not mention his operation’s name or location.
The reseller gave Krebs information on a client, suspected to be Rustock’s operator, though the reseller claims to have not known this, who owed him a debt of $1,600 in outstanding rental fees. According to Krebs’s report, the client kept a low profile. He only received two abuse complaints, but apparently this is typical of botnets. They are rarely used for high profile activities like spamming or carrying out malware attacks, but instead coordinate, update, and instruct the, in this case, hundreds of thousands of infected PCs.
Krebs was able to follow the money through SpamIt’s financial books, which were sent to him by an anonymous source following the spamming affiliate’s widely publicized takedown in September. As it turned out, the reseller received payments for his servers from an “attested” WebMoney account, meaning that the account holder, whom a former law enforcement agent identified as Vladimir Shergin, had verified that account with an official Russian passport (WebMoney is more or less Eastern Europe’s answer to PayPal). The reseller provided Krebs with the unique ID attached to that account, and that ID had ties with three top promoters from SpamIt’s records.
Those promoters operated under the pseudonyms Cosma2k, Bird, and Adv1. Cosma2k’s WebMoney account was consistently listed among the top earners in Spammit’s records, earning more than a half-million dollars in three years. This only represented a portion of Cosma2k’s earnings though, because the records show one other WebMoney account to which this person was connected. Also connected with this second account were SpamIt members Bird and Adv1. All three accounts entered the same ICQ number when registering not only with SpamIt, but also with a competitor, Rx-Promotion. In total, the three pseudonyms earned more than $2 million from SpamIt and $200,000 from Rx-Promotion.
So, Krebs believes that if it is indeed Cosma2k who is behind Rustock, than this person is either sharing control of the botnet between three individuals, or Cosma2k, Bird, and adv1 are separate aliases of one person, a move designed to hide this person’s success and prevent feelings of resentment among other SpamIt members. This second theory is somewhat validated by Alex Lanstein, a network architect at FireEye, who claims that the Mega-D and Zeus bots have proven that it only takes one coder to run a successful bot.
“Most people probably assume that to be wildly successful in the world of botnets, you need to have a huge team of programmers. Most malware these days is specialized with only one or two real functions built-in,” Lanstein told Krebs. “Why incur of the overhead of splitting profits when a bot operator can pay one-time fees to a 3rd party service and keep the real profit for yourself?”
Evidently Microsoft had also been in touch with Krebs’s informant reseller and come across much of the same information. They are planning on publishing this information at noticeofpleading.com and in various Russian publications along with notice to the individual or individuals behind the bot that there is an upcoming court hearing in Seattle that Rustock’s operators are expected to attend.