On December 7, 2021, Google announced that it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware threat that has infected millions of computers over the past decade. That same day, AWM Proxy – a 14-year-old anonymity service that rents out hacked PCs to cybercriminals – has suddenly gone offline. Security experts have long seen a connection between Glupteba and AWM Proxy, but new research shows that the founder of AWM Proxy is one of the men Google is suing.
Launched in March 2008, AWM Proxy quickly became the biggest service for scammers looking to route their malicious web traffic through compromised devices. In 2011, researchers from Kaspersky Lab showed that virtually every hacked system for rent from AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs itself deep into infected PCs and loads itself even before the underlying Windows operating system boots.
In March 2011, security researchers from ESET found TDSS was used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and attempts to compromise other devices on the victim’s network – such as routers Internet and media storage servers – for use in relaying spam or other malware. Traffic.
Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and through traffic purchased from Traffic Distribution Systems (TDS). Pay-per-install networks attempt to match cybercriminals who already have access to large numbers of hacked PCs with other scammers looking for wider distribution of their malware.
In a typical PUP network, customers submit their malware (a spambot or a password-stealing Trojan, for example) to the service, which in turn charges per thousand successful installs, with the price depending on the geographical location requested. desired victims. One of the most common ways for PPI affiliates to generate revenue is by secretly bundling the PPI network installer with pirated software titles widely available for download via the web or from file sharing networks .
Over the past decade, Glupteba and AWM Proxy have grown tremendously. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to around 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times more hacked systems every day, and Glupteba had grown to more than one million infected devices worldwide.
There is also ample evidence to suggest that Glupteba may have spawned Merisa massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive Distributed Denial of Service (DDoS) attacks the Internet has ever seen.
But on December 7, 2021, Google announcement he had taken technical measures to dismantle the Glupteba botnet, and filed a civil suit (PDF) against two Russian men suspected of being responsible for the operation of the vast criminal machine. AWM Proxy’s online storefront disappeared the same day.
AWM Proxy quickly alerted its customers that the service had migrated to a new domain, with all customer balances, passwords and purchase histories seamlessly transferred to the new home. However, subsequent takedowns targeting AWM Proxy domains and other infrastructure conspired to keep the service on the ropes and changing domains frequently ever since.
Earlier this month, the United States, Germany, the Netherlands and the United Kingdom dismantled the “SOCKSbotnet, a competing proxy service that had been operating since 2014. KrebsOnSecurity identified the owner of RSOCKS as a 35-year-old man from Omsk, Russia, who runs the world’s largest forum for spammers.
Shortly after last week’s story about the founder of RSOCKS, I heard from Riley Kilmerco-founder of Spur.us, a startup that tracks down criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.
“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number dropped to zero on December 7,” Kilmer said. “It is unclear whether this means the services were operated by the same people, or whether they simply used the same sources (i.e. PUPs) to generate new installations of their malware. .”
Kilmer said that whenever his company tried to determine how many systems RSOCKS had for sale, it discovered that every internet address that RSOCKS sold was also present in AWM Proxy’s network. Additionally, Kilmer said, the application programming interfaces (APIs) used by the two services to track infected systems were virtually identical, again suggesting strong collaboration.
“One hundred percent of the IP addresses we retrieved from RSOCKS were already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP address were the same as AWM.”
In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take another look at the origins of this sprawling cybercriminal enterprise to determine if there was additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.
IF YOUR PLAN IS TO GET GOOGLE…
In support of Kilmer’s theory that AWM Proxy and RSOCKS could simply be using the same PPI networks to spread, further research shows that the owner of RSOCKS also had a stake in AD1[.]ruan extremely popular Russian-language pay-per-install network that has been operating for at least a decade.
Google targeted Glupteba in part because its owners were using the botnet to hijack and steal huge amounts of online ad revenue. So it’s more than a little ironic that the essential piece of evidence linking all of these operations begins with a Google Analytics code included in the original AWM proxy HTML code in 2008 (UA-3816536).
This scan code was also present on a handful of other sites over the years, including the now defunct Russian domain name registrar. Domination[.]ruand the website website[.]ruwhich oddly enough was a Russian company operating a global real estate appraisal business called American assessment.
Two other domains connected to this Google Analytics code — Russian plastics manufacturers techplast[.]ru and tekhplast.ru — also shared another Google Analytics code (UA-1838317) with website[.]ru and with the domain “starovikov[.]ru.”
The name on the WHOIS registration records for the plastics domains is a “Alexander I. Ukraincki”, whose personal information is also included in the tpos domains[.]ru and alpha display[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.
Constellation Intelligence, a security company that indexes passwords and other personal information exposed in past data breaches, has revealed dozens of variations of email addresses used by Alexander I. Ukraincki over the years. Most of these email addresses begin with some variation of “[email protected]” followed by a domain from one of the many Russian mail providers (eg, yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].
But Constella also shows these various email addresses all relying on a handful of passwords – most often”2222den” and “2222DEN.” These two passwords have been used almost exclusively over the past decade by the person who registered more than a dozen email addresses with the username “dennstr.”
The dennstr identity leads to several variations of the same name – Denis Strelinikov, or Denis Stranatka, from Ukraine, but these clues ultimately didn’t lead to anything promising. And maybe that was the point.
Things started looking up after I ran a search in DomainTools for website[.]ru’s original WHOIS records, which show it was assigned in 2005 to a “private person” who used the email address [email protected]. A search in Constella on this email address indicates that it was used to register almost two dozen domains, including starovikov.ru and starovikov[.]com.
A cached copy of Starovikov’s contact page[.]com shows that in 2008 he posted the personal information of a Dmitry Starovikovwho listed his Skype username as “lycefer”.
Finally, the Russian incorporation documents To display the LLC Company’s website (website[.]ru) was registered in 2005 to two men, one of whom was named Dmitry Sergeyevich Starovikov.
To close the loop, Google lists Starovikov as one of two operators of the Glupteba botnet:
Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s lawsuit in the Southern District of New York, denying (PDF) that their clients had any knowledge of the scheme.
Despite all the disruption caused by Google’s legal and technical interference, AWM is still around and nearly as healthy as ever, despite the service being branded with a new name and there are dubious claims from new owners. Announcing customer packages ranging from $50 per day to almost $700 for “VIP access”, AWM Proxy says its malware has been run on approximately 175,000 systems worldwide in the past 24 hours, and that approximately 65,000 of these systems are currently online.
Meanwhile, RSOCKS admins recently alerted customers that the service and any unspent balance will soon be migrated to a new location.
Many people seem to equate the time, money and effort required to investigate and prosecute cybercriminals with the largely failed War on Drugs, which means there is an endless supply of promising scam artists out there who will always fill the gaps in the workforce whenever cybercriminals will be confronted. Justice.
While this may be true for many low-level cyber thieves today, surveys like these once again show just how small the underground cybercriminal really is. It also shows how entirely logical it is to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the true multipliers of cybercrime.