Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
Waledac and Storm were major distributors of pharmaceutical and malware spam. At its peak, Waledac was responsible for sending 1.5 billion junk emails per day. According to Microsoft, in one month alone approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks, and more. The Storm worm botnet also sent billions of messages daily and infected an estimated one million computers worldwide.
Both Waledac and Storm were hugely innovative because they each included self-defense mechanisms designed specifically to stymie security researchers who might try to dismantle the crime machines. Traditional botnets are controlled by Internet servers that can be shuttered just like McColo or Atrivo. But Waledac and Storm sent updates and other instructions via a peer-to-peer communications system not unlike popular music and file-sharing services. The beauty of this approach is that even if security researchers or
law-enforcement officials manage to seize the botnet’s back-end control servers and clean up huge numbers of infected PCs, the botnets could respawn themselves by relaying software updates from one infected PC to another.
According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 sending spam advertising for rogue online pharmacy sites over a three-year period. He also was a moderator of Spamdot.biz.
Severa made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send one million pieces of spam. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.
There is ample evidence in the leaked SpamIt chats that Severa controlled the Waledac spam botnet. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “IP-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other Internet service providers (ISPs). The messages indicate that Severa transacted with IP-server to purchase dedicated servers used to control the operations of the Waledac botnet.
In the private message, Severa wrote to IP-server (translated from Russian): “Hello, writing to your ICQ, you are not responding. One of the servers has been down for 5 hours. The one ending on .171. What’s the problem, is it coming up or not, and when?” Severa then pasted an error message sent by the problematic web server. IP-server must have resolved the outage, because the Internet address that Severa was complaining about—193.27.246.171—would be flagged a day later by malware analysts and tagged as a control server for the Waledac botnet.
The federal indictment lists Severa’s name as “Peter Severa,” but this
last name may be a pseudonym. According to anti-spam activists at Spamhaus.org, Severa’s real name is Peter Levashov.
10
Why should anyone care who Severa really is? Much like his close associate—Cosma, the Rustock botmaster—Severa may also have a $250,000 bounty on his head. The Conficker worm, a global contagion launched in 2009 that quickly spread to an estimated 9 to 15 million computers worldwide, prompted an unprecedented international response from security experts. This group of experts, dubbed the “Conficker Cabal,” sought in vain to corral the spread of the worm.
But despite infecting huge numbers of Microsoft Windows systems, Conficker was never once used to send spam. In fact, the only thing that Conficker-infected systems ever did was download and spread a new version of the Waledac botnet. Later that year, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of the Conficker author(s). Some security experts believe this proves a link between Severa and Conficker.
Severa and Cosma had met one another several times in their years together in the stock spamming business, and they appear to have known each other intimately enough to be on a first-name basis. Included in the archived Spamdot.biz records that were leaked to me is a series of private messages exchanged between Cosma and Severa on May 25 and May 26, 2010. In it, Severa refers to Cosma as “Dimas,” a familiar form of “Dmitri.” Likewise, Cosma addresses Severa as “Petka,” a common Russian diminutive of “Peter.”
Both Severa and Cosma remain free and quite active in the spam and malware scene. Severa is still the spam subforum administrator on several underground forums, pimping his spam services,
remarkably under most of the same prices he offered them for in 2008. The spam botnets that Severa maintains continue to inundate inboxes with junk email promoting fly-by-night products and spreading malicious software.
According to the leaked SpamIt data, the second most successful affiliate in the program was a member nicknamed “GeRa.” Over a three-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.
A variety of data suggest that GeRa is the lead hacker behind Grum, a spam botnet that could send more than 18 billion emails a day prior to its takedown in 2012.
GeRa and Stupin chatted online by ICQ almost every day, usually because GeRa was complaining that some portion of his spamming infrastructure wasn’t working properly. In fact, Stupin would remark that GeRa was by far the most bothersome of all the program’s top spammers, telling a fellow SpamIt administrator that “neither Docent [Mega-D botmaster] nor Cosma [Rustock botmaster] can compare with him in terms of trouble with hosting providers.”
Several of the leaked Stupin chats show GeRa pointing out issues with specific Internet addresses that would later be flagged as control servers for the Grum botnet. For example, in a chat with Stupin on June 11, 2008, GeRa posts a link to the address 206.51.234.136. Then after checking the server, he proceeds to tell Stupin how many infected PCs were phoning home to that address at the time. That same server has long been identified as a Grum botnet controller.
By this time, Grum had grown to such an established threat that it was named in the “Top Spam Botnets Exposed” paper released by Dell
SecureWorks researcher Joe Stewart. On April 13, 2008—just five days after Stewart’s analysis was released—GeRa would post a link to it into a chat with Stupin, saying “Haha, I am also on the list!”
The chats between GeRa and Stupin show that at some point GeRa defected from working with SpamIt to spam for Rx-Promotion. Researchers from the University of California, San Diego (UCSD) who studied the leaked Rx-Promotion affiliate data noted that all Rx-Promotion pharmacy sites included a “site_id” in their source code, which uniquely identified the store for later assigning advertising commissions. The researchers discovered that whenever Grum advertised an Rx-Promotion site, this identifier was always the same: 1811. According to the leaked Rx-Promotion database, that affiliate ID belongs to a user named “gera.”
“It doesn’t prove that GeRa owned Grum,” said Stefan Savage, a professor in the systems and networking group at UCSD and coauthor of the study. “But it does show that when Grum advertised for Rx-Promotion, it was for sites where commissions were paid to someone whose nickname was ‘GeRa.’”
According to payment records leaked from GlavMed and Rx-Promotion, GeRa received commission payments for all of those accounts to a WebMoney purse with the ID number 112024718270. According to a source who has the ability to look up identity information attached to WebMoney accounts, that purse was set up in 2006 by someone who walked into a WebMoney office in Moscow and presented a Russian passport. The name on the passport was that of a twenty-six-year-old named Nikolai Alekseevich Kostogryz. (My attempts to contact Kostogryz to confirm if GeRa was indeed him or if his identity had been stolen were unsuccessful.)
Stupin’s chat records and GeRa’s private messages on Spamdot.biz reveal a belligerent, argumentative hacker who seemed to be perpetually angry about getting screwed over by someone. GeRa had a long-running feud with FTPFire, a SpamIt member that he referred to the
program. In one of his conversations with Stupin, GeRa stated that he wanted to find the guy and “take care” of him in “the Italian way.” He told Stupin that he had some police officers on his payroll and had asked them to locate FTPFire.
GeRa also said he was robbed of $30,000 when a rogue antivirus partnerka he was working with folded. That criminal outfit, called BakaSoftware, was in the scareware racket, inundating victims with increasingly alarmist warnings about security threats and viruses on his or her PC. These warnings would continue until the victim either paid to license mostly useless security software or figured out a way to remove the invasive program.
11
Although it is unclear if GeRa is still active in the spam scene, his contribution to the junk email world lives on. The source code for his Grum botnet has been sold to several other spammers who have apparently modified it for their own purposes and are currently using it to blast junk email.
Few botmasters were as angry and as vindictive as “Engel,” the nickname chosen by the convicted Russian spammer named Igor A. Artimovich, and his brother, Dmitry. Engel allegedly maintained the Festi botnet and, for a time, spammed for both Rx-Promotion and SpamIt. But in 2009, a series of incidents and altercations between himself and the SpamIt administrators would turn him forever against the SpamIt program and make him a close ally of Pavel Vrublevsky. Ironically, that alliance would eventually lead to Vrublevsky’s and Rx-Promotion’s undoing.
12
First spotted in autumn 2009, Festi quickly became a potent threat
on the botnet scene. According to ESET, a Slovakian antivirus and security firm, Festi was at the time among the most powerful and active botnets for sending spam and for launching distributed denial of service (DDoS) attacks. A vocal and often combative member on the Spamdot.biz forum, Engel referred to his botnet as “Topol Mailer.” That moniker was an oblique reference to the Russian-made intercontinental ballistic missile known as Topol-M, an apt nickname for a botnet that once delivered a third of all spam to inboxes around the globe, but principally to Americans.
Engel’s profile on Spamdot.biz listed his email address as “[email protected].” That domain is no longer online, but archive.org reveals that Engel used it as the home base for a bot whose sole purpose was to harvest email addresses from billions of web pages. Engel claimed publicly that the bot was nothing more than a research project, but he bragged privately to Spamdot members that his search bot could scour hundreds of sites simultaneously and quickly collect “hundreds of megabytes” of email lists.
Early in his work for SpamIt, Engel began to suspect that Gusev and Stupin were “shaving” his commissions—essentially not paying him all of the money that he was due from pharmaceutical sales at sites that he had promoted using spam sent from the Festi botnet. SpamIt’s Gusev and Stupin denied that they were shaving commissions—and they were truthful in their denial—but private chats leaked by Stupin show this was only a half-truth.
Those chats show that the Cutwail botmaster Gugle (Dmitry Nechvolod) had somehow hijacked portions of Festi’s traffic and diverted the spam destined for Engel’s pharmacy sites to his own pill shops. Gusev and Stupin were aware of this activity, but seemed unwilling to do much about it—mainly because they intensely disliked Engel and already suspected that he was too closely allied with Vrublevsky.
By 2009, Engel became so embittered over continued allegations of being shortchanged on commissions that he began using the Spamdot.biz
forum to aggressively promote his own new pharmacy partnerka and forum—Spamplanet.net. In short order, he succeeded in luring away several top botmasters, including Cosma, the Rustock botmaster.
Gusev and Stupin decided this activity, combined with Engel’s increasingly public and combative allegations of shaving, were unacceptable, and banned Engel from their forum. When the SpamIt administrators ignored Engel’s demands to re-enable his account, Engel used the Festi botnet to launch a long series of crushing DDoS attacks against SpamIt and its network of pill-shop sites, decreasing revenue for everyone in the partnerka.
The spammers profiled in this chapter were in charge of building and maintaining some of the world’s most powerful and disruptive spam botnets, and as a result are or were responsible for a huge chunk of the junk email sent globally each day. Collectively, their spam botnets have infected tens of millions of computers over the years, and gobbled up personal and financial data from countless consumers in the process.
Individually, these junk email artists earned a few million dollars for their efforts, yet they’ve forced businesses and consumers to spend hundreds of millions more shoring up digital defenses to fight their daily glut of crimeware.
But these spammers were mere vassals and barons in charge of warring fiefdoms. The real authors of this economic asymmetry—the kingpins who created the pharmacy partnerkas—used the spammers like so many pawns in a high-stakes game of chess, a costly conflict that denizens of the digital underground would soon dub the “Pharma Wars.”
10.
I contacted Severa using the instant messenger address that he provides on multiple cybercrime forums on which he is a global moderator for discussions about junk email and spam services. The person answering messages on that address said he didn’t know any Severa, that he’d never used botnets for mass mailing campaigns, and that he only conducted small, targeted email campaigns for clients.
11.
It’s worth noting that BakaSoftware’s core credit-card processor was ChronoPay.
12.
According to the
New York Times
in 2013, Artimovich does not deny going by the nickname Engel, but he does deny using botnets or sending spam, and says he was only hired by ChronoPay to help the company build an antivirus product.