On December 7, 2021, Google introduced it was suing two Russian males allegedly chargeable for working the Glupteba botnet, a world malware menace that has contaminated thousands and thousands of computer systems over the previous decade. That very same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — instantly went offline. Safety specialists had lengthy seen a hyperlink between Glupteba and AWM Proxy, however new analysis exhibits AWM Proxy’s founder is without doubt one of the males being sued by Google.
Launched in March 2008, AWM Proxy shortly grew to become the biggest service for crooks looking for to route their malicious Net visitors by way of compromised units. In 2011, researchers at Kaspersky Labthat just about the entire hacked programs for lease at AWM Proxy had been compromised by TDSS (a.okay.a ), a stealthy “rootkit” that installs deep inside contaminated PCs and masses even earlier than the underlying Home windows working system boots up.
In March 2011, safety researchers at ESETTDSS was getting used to deploy Glupteba, one other rootkit that steals passwords and different entry credentials, disables safety software program, and tries to compromise different units on the sufferer’s community — similar to Web routers and media storage servers — to be used in relaying spam or different malicious visitors.
Like its predecessor TDSS, Glupteba is primarily distributed by way of, and through visitors bought from visitors distribution programs (TDS). Pay-per-install networks attempt to match cybercriminals who have already got entry to giant numbers of hacked PCs with different crooks looking for broader distribution of their malware.
In a typical PPI community, purchasers will submit their malware—a spambot or password-stealing Trojan, for instance —to the service, which in flip prices per thousand profitable installations, with the worth relying on the requested geographic location of the specified victims. Probably the most widespread methods PPI associates generate income is by secretly bundling the PPI community’s installer with pirated software program titles which might be extensively obtainable for obtain through the net or from file-sharing networks.
Over the previous decade, each Glupteba and AWM Proxy have grown considerably. When KrebsOnSecurity, the service was promoting entry to roughly 24,000 contaminated PCs scattered throughout dozens of nations. Ten years later, AWM Proxy was providing 10 occasions that variety of hacked programs on any given day, and Glupteba had grown to a couple of million contaminated units worldwide.
There’s additionallyto recommend that Glupteba could have spawned Meris, that surfaced in September 2021 and was chargeable for a few of the largest and most disruptive distributed denial-of-service (DDoS) assaults the Web has ever seen.
However on Dec. 7, 2021, Googleit had taken technical measures to dismantle the Glupteba botnet, and (PDF) towards two Russian males regarded as chargeable for working the huge crime machine. AWM Proxy’s on-line storefront disappeared that very same day.
AWM Proxy shortly alerted its clients that the service had moved to a brand new area, with all buyer balances, passwords and buy histories seamlessly ported over to the brand new residence. Nonetheless, subsequent takedowns focusing on AWM Proxy’s domains and different infrastructure have conspired to maintain the service on the ropes and incessantly switching domains ever since.
Earlier this month, america, Germany, the Netherlands and the U.Ok. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity haswho runs the world’s largest discussion board catering to spammers.
Shortly after final week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of, a startup that tracks legal proxy companies. Kilmer mentioned RSOCKS was equally disabled after Google’s mixed authorized sneak assault and technical takedown focusing on Glupteba.
“The RSOCKS web site gave you the estimated variety of proxies in every of their subscription packages, and that quantity went all the way down to zero on Dec. 7,” Kilmer mentioned. “It’s not clear if which means the companies had been operated by the identical folks, or in the event that they had been simply utilizing the identical sources (i.e., PPI applications) to generate new installations of their malware.”
Kilmer mentioned every time his firm tried to find out what number of programs RSOCKS had on the market, they discovered every Web handle being offered by RSOCKS was additionally current in AWM Proxy’s community. As well as, Kilmer mentioned, the appliance programming interfaces (APIs) utilized by each companies to maintain monitor of contaminated programs had been just about similar, as soon as once more suggesting sturdy collaboration.
“100% of the IPs we acquired again from RSOCKS we’d already recognized in AWM,” Kilmer mentioned. “And the IP port combos they offer you whenever you entry a person IP had been the identical as from AWM.”
In 2011, KrebsOnSecurity printed an investigation that, however Kilmer’s revelation prompted me to take a contemporary take a look at the origins of this sprawling cybercriminal enterprise to find out if there have been further clues displaying extra concrete hyperlinks between RSOCKS, AWM Proxy and Glupteba.
IF YOUR PLAN IS TO RIP OFF GOOGLE…
Supporting Kilmer’s principle that AWM Proxy and RSOCKS could merely be utilizing the identical PPI networks to unfold, additional analysis exhibits the RSOCKS proprietor additionally had an possession stake in, an especially in style Russian-language pay-per-install community that has been in operation for a minimum of a decade.
Google took intention at Glupteba partially as a result of its homeowners had been utilizing the botnet to divert and steal huge sums in internet marketing income. So it’s greater than a bit of ironic that the essential piece of proof linking all of those operations begins with a Google Analytics code included within the HTML code for the unique AWM Proxy again in 2008 (UA-3816536).
That analytics code additionally was current on a handful of different websites through the years, together with the now-defunct Russian area identify registrar Domenadom[.]ru, and the web site web-site[.]ru, which curiously was a Russian firm working a world actual property appraisal enterprise referred to as.
Two different domains related to that Google Analytics code — Russian plastics producers techplast[.]ru and tekhplast.ru — additionally shared a distinct Google Analytics code (UA-1838317) with web-site[.]ru and with the area “starovikov[.]ru.”
The identify on the WHOIS registration data for the plastics domains is an “Alexander I. Ukraincki,” whose private info is also included within the domains tpos[.]ru and alphadisplay[.]ru, each apparently producers of point-of-sale cost terminals in Russia.
, a safety agency that indexes passwords and different private info uncovered in previous information breaches, revealed dozens of variations on e mail addresses utilized by Alexander I. Ukraincki through the years. Most of these e mail addresses begin with some variation of “uai@” adopted by a site from one of many many Russian e mail suppliers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].
However Constella additionally exhibits these totally different e mail addresses all relied on a handful of passwords — mostly “2222den” and “2222DEN.” Each of these passwords have been used nearly solely up to now decade by the one that registered greater than a dozen e mail addresses with the username “dennstr.”
The dennstr identification results in a number of variations on the identical identify — Denis Strelinikov, or Denis Stranatka, from Ukraine, however these clues in the end led nowhere promising. And possibly that was the purpose.
Issues started wanting brighter after I ran a search infor web-site[.]ru’s unique WHOIS data, which exhibits it was assigned in 2005 to a “non-public particular person” who used the e-mail handle email@example.com. A search in Constella on that e mail handle says it was used to register practically two dozen domains, together with starovikov.ru and starovikov[.]com.
Aexhibits that in 2008 it displayed the private info for a Dmitry Starovikov, who listed his Skype username as “lycefer.”
Lastly, Russian incorporation paperworkthe corporate LLC Web site (web-site[.]ru)was registered in 2005 to 2 males, certainly one of whom was named Dmitry Sergeevich Starovikov.
Bringing this full circle, Google says Starovikov is without doubt one of the two operators of the Glupteba botnet:
Mr. Starovikov didn’t reply to requests for remark. However attorneys for Starovikov and his co-defendant final month filed a response to Google’s grievance within the Southern District of New York,(PDF) their purchasers had any data of the scheme.
Regardless of the entire disruption attributable to Google’s authorized and technical meddling, AWM remains to be round and practically as wholesome as ever, though the service has been branded with a brand new identify and there are doubtful claims of recent homeowners. Promoting buyer plans starting from $50 a day to almost $700 for “VIP entry,” AWM Proxy says its malware has been working on roughly 175,000 programs worldwide during the last 24 hours, and that roughly 65,000 of those programs are at the moment on-line.
In the meantime, the directors of RSOCKS just lately alerted clients that the service and any unspent balances will quickly be migrated over to a brand new location.
Many individuals appear to equate spending time, cash and energy to analyze and prosecute cybercriminals with the largely failed conflict on medicine, that means there may be an limitless provide of up-and-coming crooks who will all the time fill in any gaps within the workforce every time cybercriminals face justice.
Whereas which may be true for a lot of low-level cyber thieves in the present day, investigations like these present as soon as once more how small the cybercriminal underground actually is. It additionally exhibits the way it makes a substantial amount of sense to focus efforts on focusing on and disrupting the comparatively small variety of established hackers who stay the actual drive multipliers of cybercrime.