As reported previously, the TDSS rootkit malware – and its associated botnet – are one of the world's major botnet swarms and has been recoded several times to increase and refine its efficiency.
Krebs – of the Krebs on Security newswire – says that his earlier story on TDSS was picked up by the Slashdot newswire and one of the comments on that report noted that the awmproxy.net storefront for the botnet has/had a Google Analytics code embedded.
That code – UA-3816538 – the researcher has discovered, is embedded in six other sites, including awmproxy.com, according to a lookup at ReverseInternet.com.
“Using domaintools.com, I was able to find the historical web site registration records for awmproxy.com (the historical data for awmproxy.net is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address fizot@mail.ru. Another web site with that same Google Analytics code, pornxplayer.com (a hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008”, Krebs says in his latest security posting.
From there, the security researcher tracked the registrant to be Galdziev Chingiz in St. Petersburg, Russia, who appears to have multiple email addresses.
Googling for the fizot@mail.ru address, Krebs goes on to say, turns up a LiveJournal blog by a user named Fizot who provides a contact email address of xtexcounter@bk.ru.
“Fizot isn't the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars”, he notes.
And now it gets complex, as Krebs – after donning his Sherlock Holmes deerstalker hat – appears to have tracked Fizot's Porsche, which has a licence plate of H666XK.
Fizot, the researcher notes, may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties.
Infosecurity notes that unconfirmed reports on some security forums suggest that Krebs' newswire is read by the authorities in St. Petersburg proving that, on the internet, it is a very small world.