Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.
Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.
On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.
“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.
Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.
WHO IS SEVERA?
A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.
It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.
In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).
According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.
Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.
Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.
Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.
So where are the clues suggesting that Severa ran Waledac? Krebs On Security also managed to secure a copy of the Spamdot.biz forum, including the private messages for all of its users. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “ip-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other ISPs. The messages indicate that Severa transacted with ip-server to purchase dedicated servers used to control the operations of the Waledac botnet.
In the private message pictured in the screen shot to the left, Severa writes (translated from Russian):
“Hello, writing to your ICQ, you are not responding. One of the servers has been down for 5 hours. The one ending on .171. What’s the problem, is it coming up or not, and when?”
ssh: connect to host 18.104.22.168 port 22: No route to host”
Ip-server must have resolved the outage, because the server that Severa was complaining about — 22.214.171.124 — would be flagged a day later by malware analysts, and tagged as a control server for the Waledac botnet.
There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.
In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:
“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”
It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.
Contacted via instant message and presented with the evidence, Severa denied everything, saying he only did small opt-in mailings, had never used a botnet, and had been out of the business for years. When pressed about his fake antivirus affiliate program, Severa said he didn’t realize his antivirus program was fake, and that he didn’t know anyone named Sabelnikov, or even Ralsky. When presented with the screen shot below — which shows Severa complaining on Spamdot about how his broker ran away and that he was faced to find a new sponsor for spamming penny stocks just days after Ralsky’s arrest in Jan. 2008 — Severa said someone else must have been using his Spamdot account.
“The truth is that some people sharing servers, spamdot account and some other forum accounts [in] those years,” he explained. He gave the same reply when asked about the screen shot showing his renting the server used to control Waledac.
Kelihos may not be completely gone. Stone-Gross said he recently uncovered a malware sample that appears to be another installer for Kelihos.
“The guys running these botnets are making lots of money,” Stone-Gross said. “They’re not just going to sit back and say, ‘Oh no, they took down our botnet, let’s give up on our business.’ They’ll use pay-per-install affiliate programs to reinfect more machines and bring the botnet right back up.”