Unconfirmed reports have been coming in for several days that Microsoft has been surveilling various dark hat security forums, and now security researcher Brian Krebs is reporting that his own research shows that many of the servers rented from US hosting providers were actually rented by a small Eastern European business.
This business, says Krebs, specialises in reselling hosting services to individuals who frequent underground hacker forums.
After interviewing the reseller, he says that, in return for anonymity, he was given the payment information about a customer who rented dozens of servers apparently used as Rustock C&C controllers.
The reseller, Krebs claims, was willing to share information about his client because the customer turned out to owe around $1,600 – about two month’s rent of the servers in question.
"The reseller also seemed willing to talk to me because I might be able bend the ear of Spamhaus.org, the anti-spam group that urged ISPs worldwide to block his Internet addresses shortly after Microsoft announced the Rustock takedown", he said in his latest security blog.
Interestingly, Krebs says that the reseller made the same claim as the US hosting providers, namely that he was unaware of the actual usage of the servers being rented out.
Tracking the payment service used by the person that rented the servers from the Eastern European entity, Krebs says that the owner of the WebMoney account used appears to be Vladimir Shergin, a name which is also associated, he claims, with the SpamIT operation that closed down last September.
This leads the security researcher to the interesting conclusion that the revenues from the SpamIT operation may have been funding Rustock, and, when the SpamIT empire crumbled, the seeds of financial destruction were laid for the Rustock C&C server operation.
This may explain the temporary hiatus in Rustock's operations over the Christmas/New Year period, Infosecurity notes, and may have forced Shergin to look for other servers, so attracting the interest of the Microsoft's investigators.