On December 7, 2021, Google introduced it was suing two Russian males allegedly answerable for working the Glupteba botnet, a world malware menace that has contaminated thousands and thousands of computer systems over the previous decade. That very same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — instantly went offline. Safety specialists had lengthy seen a hyperlink between Glupteba and AWM Proxy, however new analysis exhibits AWM Proxy’s founder is likely one of the males being sued by Google.
AWMproxy, the storefront for renting entry to contaminated PCs, circa 2011.
Launched in March 2008, AWM Proxy shortly turned the biggest service for crooks searching for to route their malicious Net visitors via compromised units. In 2011, researchers at Kaspersky Lab confirmed that just about the entire hacked methods for lease at AWM Proxy had been compromised by TDSS (a.ok.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep inside contaminated PCs and masses even earlier than the underlying Home windows working system boots up.
In March 2011, safety researchers at ESET discovered TDSS was getting used to deploy Glupteba, one other rootkit that steals passwords and different entry credentials, disables safety software program, and tries to compromise different units on the sufferer’s community — reminiscent of Web routers and media storage servers — to be used in relaying spam or different malicious visitors.
A report from the Polish pc emergency response crew (CERT Orange Polksa) discovered Glupteba was by far the largest malware menace in 2021.
Like its predecessor TDSS, Glupteba is primarily distributed via “pay-per-install” or PPI networks, and by way of visitors bought from visitors distribution methods (TDS). Pay-per-install networks attempt to match cybercriminals who have already got entry to giant numbers of hacked PCs with different crooks searching for broader distribution of their malware.
In a typical PPI community, shoppers will submit their malware—a spambot or password-stealing Trojan, for instance —to the service, which in flip fees per thousand profitable installations, with the worth relying on the requested geographic location of the specified victims. One of the frequent methods PPI associates generate income is by secretly bundling the PPI community’s installer with pirated software program titles which are extensively accessible for obtain by way of the online or from file-sharing networks.
An instance of a cracked software program obtain web site distributing Glupteba. Picture: Google.com.
Over the previous decade, each Glupteba and AWM Proxy have grown considerably. When KrebsOnSecurity first coated AWM Proxy in 2011, the service was promoting entry to roughly 24,000 contaminated PCs scattered throughout dozens of nations. Ten years later, AWM Proxy was providing 10 occasions that variety of hacked methods on any given day, and Glupteba had grown to multiple million contaminated units worldwide.
There may be additionally ample proof to counsel that Glupteba could have spawned Meris, an enormous botnet of hacked Web of Issues (IoT) units that surfaced in September 2021 and was answerable for among the largest and most disruptive distributed denial-of-service (DDoS) assaults the Web has ever seen.
However on Dec. 7, 2021, Google introduced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) towards two Russian males considered answerable for working the huge crime machine. AWM Proxy’s on-line storefront disappeared that very same day.
AWM Proxy shortly alerted its prospects that the service had moved to a brand new area, with all buyer balances, passwords and buy histories seamlessly ported over to the brand new house. Nonetheless, subsequent takedowns focusing on AWM Proxy’s domains and different infrastructure have conspired to maintain the service on the ropes and regularly switching domains ever since.
Earlier this month, the USA, Germany, the Netherlands and the U.Ok. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has recognized the proprietor of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest discussion board catering to spammers.
The workers who saved issues operating for RSOCKS, circa 2016.
Shortly after final week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a startup that tracks legal proxy providers. Kilmer mentioned RSOCKS was equally disabled after Google’s mixed authorized sneak assault and technical takedown focusing on Glupteba.
“The RSOCKS web site gave you the estimated variety of proxies in every of their subscription packages, and that quantity went right down to zero on Dec. 7,” Kilmer mentioned. “It’s not clear if which means the providers have been operated by the identical folks, or in the event that they have been simply utilizing the identical sources (i.e., PPI packages) to generate new installations of their malware.”
Kilmer mentioned every time his firm tried to find out what number of methods RSOCKS had on the market, they discovered every Web handle being offered by RSOCKS was additionally current in AWM Proxy’s community. As well as, Kilmer mentioned, the applying programming interfaces (APIs) utilized by each providers to maintain observe of contaminated methods have been just about equivalent, as soon as once more suggesting sturdy collaboration.
“A hundred percent of the IPs we bought again from RSOCKS we’d already recognized in AWM,” Kilmer mentioned. “And the IP port combos they offer you if you entry a person IP have been the identical as from AWM.”
In 2011, KrebsOnSecurity revealed an investigation that recognized one of many founders of AWM Proxy, however Kilmer’s revelation prompted me to take a recent take a look at the origins of this sprawling cybercriminal enterprise to find out if there have been extra clues exhibiting extra concrete hyperlinks between RSOCKS, AWM Proxy and Glupteba.
IF YOUR PLAN IS TO RIP OFF GOOGLE…
Supporting Kilmer’s idea that AWM Proxy and RSOCKS could merely be utilizing the identical PPI networks to unfold, additional analysis exhibits the RSOCKS proprietor additionally had an possession stake in AD1[.]ru, a particularly in style Russian-language pay-per-install community that has been in operation for not less than a decade.
Google took intention at Glupteba partly as a result of its homeowners have been utilizing the botnet to divert and steal huge sums in internet marketing income. So it’s greater than a little bit ironic that the important piece of proof linking all of those operations begins with a Google Analytics code included within the HTML code for the unique AWM Proxy again in 2008 (UA-3816536).
That analytics code additionally was current on a handful of different websites through the years, together with the now-defunct Russian area title registrar Domenadom[.]ru, and the web site web-site[.]ru, which curiously was a Russian firm working a world actual property appraisal enterprise referred to as American Appraisal.
Two different domains linked to that Google Analytics code — Russian plastics producers techplast[.]ru and tekhplast.ru — additionally shared a unique Google Analytics code (UA-1838317) with web-site[.]ru and with the area “starovikov[.]ru.”
The title on the WHOIS registration information for the plastics domains is an “Alexander I. Ukraincki,” whose private info is also included within the domains tpos[.]ru and alphadisplay[.]ru, each apparently producers of point-of-sale cost terminals in Russia.
Constella Intelligence, a safety agency that indexes passwords and different private info uncovered in previous information breaches, revealed dozens of variations on e mail addresses utilized by Alexander I. Ukraincki through the years. Most of these e mail addresses begin with some variation of “uai@” adopted by a website from one of many many Russian e mail suppliers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].
However Constella additionally exhibits these completely different e mail addresses all relied on a handful of passwords — mostly “2222den” and “2222DEN.” Each of these passwords have been used virtually solely up to now decade by the one who registered greater than a dozen e mail addresses with the username “dennstr.”
The dennstr id results in a number of variations on the identical title — Denis Strelinikov, or Denis Stranatka, from Ukraine, however these clues in the end led nowhere promising. And possibly that was the purpose.
Issues started wanting brighter after I ran a search in DomainTools for web-site[.]ru’s unique WHOIS information, which exhibits it was assigned in 2005 to a “personal individual” who used the e-mail handle lycefer@gmail.com. A search in Constella on that e mail handle says it was used to register practically two dozen domains, together with starovikov.ru and starovikov[.]com.
A cached copy of the contact web page for Starovikov[.]com exhibits that in 2008 it displayed the non-public info for a Dmitry Starovikov, who listed his Skype username as “lycefer.”
Lastly, Russian incorporation paperwork present the corporate LLC Web site (web-site[.]ru)was registered in 2005 to 2 males, certainly one of whom was named Dmitry Sergeevich Starovikov.
Bringing this full circle, Google says Starovikov is likely one of the two operators of the Glupteba botnet:
The quilt web page for Google’s lawsuit towards the alleged Glupteba botnet operators.
Mr. Starovikov didn’t reply to requests for remark. However attorneys for Starovikov and his co-defendant final month filed a response to Google’s criticism within the Southern District of New York, denying (PDF) their shoppers had any information of the scheme.
Regardless of the entire disruption brought on by Google’s authorized and technical meddling, AWM remains to be round and practically as wholesome as ever, though the service has been branded with a brand new title and there are doubtful claims of recent homeowners. Promoting buyer plans starting from $50 a day to almost $700 for “VIP entry,” AWM Proxy says its malware has been operating on roughly 175,000 methods worldwide over the past 24 hours, and that roughly 65,000 of those methods are at present on-line.
AWM Proxy, because it exists at this time.
In the meantime, the directors of RSOCKS lately alerted prospects that the service and any unspent balances will quickly be migrated over to a brand new location.
Many individuals appear to equate spending time, cash and energy to research and prosecute cybercriminals with the largely failed conflict on medication, which means there’s an countless provide of up-and-coming crooks who will all the time fill in any gaps within the workforce every time cybercriminals face justice.
Whereas that could be true for a lot of low-level cyber thieves at this time, investigations like these present as soon as once more how small the cybercriminal underground actually is. It additionally exhibits the way it makes quite a lot of sense to focus efforts on focusing on and disrupting the comparatively small variety of established hackers who stay the true pressure multipliers of cybercrime.
