At the beginning of the article, let’s review one thing.
On December 7, 2021, Google announced the destruction of a botnet called Glupteba and the prosecution of two Russian men.
The two men are believed to be the creators and operators of the Glupteba botnet, as well as running online websites advertising the botnet. The
Glupteba botnet became active in 2011 and has gradually grown into a huge network consisting of more than 1 million Windows PC devices around the world, becoming a huge malware threat.
On the same day, the 14-year-old anonymous service proxy AWM Proxy suddenly went offline.
Recently, security experts discovered a connection between AWM Proxy, which rents hacked PCs to criminals, and the botnet Glupteba.
In 2011, AWM agents rented storefronts that visited infected PCs.
And AWM is probably where the seven inches of the botnet lies.
AWM Proxy was launched in March 2008, and in 2011, researchers at Kaspersky Lab discovered that nearly all AWM-rented hacked systems had been compromised by TDSS (aka TdL-4 and Alureon).
TDSS is a stealthy "rootkit", and rootkit is also recognized as the most difficult to detect attack concealment method in the industry.
TDSS is installed deep inside infected PCs, loading even before the most basic Windows operating system boots.
In March 2011, security researchers at ESET discovered that TDSS was used to deploy Glupteba.
Glupteba is another rootkit that is capable of stealing passwords and other access credentials, disabling security software, and attempting to compromise other devices on the victim's network (such as Internet routers and media storage servers), and is used to forward spam or other malicious traffic.
A report by the Polish Computer Emergency Response Team (CERT Orange Polksa) found that Glupteba is by far the largest malware threat of 2021.
Like its predecessor TDSS, Glupteba is distributed primarily through pay-per-install or PPI networks, and through purchased traffic from Traffic Distribution Systems (tDS).
The pay-per-install network attempts to match cybercriminals who already have access to large numbers of hacked PCs with other criminals seeking to spread their malware more widely.
In a typical PPI network, customers submit their malware (such as spam bots or password-stealing Trojans) to the service, which charges a CPM based on the desired victim's geographic location. Cost of successful installation.
PPI One of the most common ways affiliates make money is by secretly bundling PPI network installers with pirated software that can be widely downloaded over the web or on file-sharing networks.
An example of a cracked software download website distributed in Glupteba.
Both Glupteba and AWM Proxy have experienced significant growth over the past 10 years.
When KrebsOnSecurity first reported on AWM Proxy in 2011, the service was selling access to approximately 24,000 infected PCs in dozens of countries.
0 years later, AWM Proxy serves 10 times that number of compromised systems on any given day, and Glupteba has grown to over 1 million infected devices worldwide.
Furthermore, there is good evidence that Glupteba may have given birth to Meris.
Melis, a massive botnet composed of hacked Internet of Things (IoT) devices, surfaced in September 2021 and caused the largest and most destructive distributed denial of service (DDoS) in the history of the Internet. ) responsible for the attack.
But on December 7, 2021, Google announced that it had taken technical measures to dismantle the Glupteba botnet and filed a civil lawsuit against two Russian men, and AWM Proxy’s online store also disappeared on the same day.
AWM Proxy quickly reminded its customers that the service had been moved to a new domain and that all customer balances, passwords and purchase history had been seamlessly ported to the new address.
However, subsequent attacks on the AWM Proxy domain name and other infrastructure paralyzed website services. After that, AWM Proxy began to switch domain names frequently.
Earlier this month, the United States, Germany, the Netherlands, and the United Kingdom dismantled a botnet called "RSOCKS."
This is a competing proxy service that has been running since 2014.
Security company KrebsOnSecurity has confirmed that the owner of RSOCKS is a 35-year-old Russian from Omsk who runs the world's largest spammer forum.
RSOCKS employees around 2016
According to Riley Kilmer, co-founder of Spur.us, a startup that tracks criminal proxy services, after Google launched a legal sneak attack and technical attack on Glupteba, RSOCKS also Disabled.
"The RSOCKS website gives an estimate of the number of proxy servers in each subscription package, and by December 7, that number dropped to zero," Kilmer said.
"It's unclear whether this means these services are provided by The same people operate it, or they simply use the same source (such as the PPI program) to generate new malware installations."
Kilmer said that every time his company tries to determine how many systems RSOCKS has been sold, it finds that Each Internet address sold by RSOCKS also appears in the AWM agent's network.
Additionally, the application programming interface (API) used by both services to track infected systems is virtually identical, again demonstrating strong collaboration between the two.
Kilmer said, "The IPs we get from RSOCKS are 100 percent ones that we have identified in AWM, and when you access an individual IP, the IP port combination they give you is the same as the one from AWM."
In 2011, security firm KrebsOnsecurity released an investigative report that identified one of the founders of the AWM agent, but now Kilmer's discovery has prompted KrebsOnsecurity to re-examine the origins of this massive cybercrime enterprise to determine whether it is still There are other clues that point to a more specific connection between RSOCKS, the AWM agent, and Glupteba.
Google targeted Glupteba in part because its owner used a botnet to divert and steal huge amounts of online advertising revenue.
But somewhat ironically, the key piece of evidence tying all these operations together begins with the Google Analytics (Google Analytics) code contained in the original AWM Proxy (UA-3816536) HTML in 2008.
The analysis code has also appeared on a number of other websites over the years, including the now-defunct Russian domain registrar Domenadom.
Security company KrebsOnSecurity After analyzing emails and domain names, things started to become clear.
investigation found that registration documents of Russian domain name registrar Domenadom showed that in 2015, the company's website was registered in the name of two men, including One person is Dmitry Sergeevich Starovikov.
And he is one of the two operators of the Glupteba botnet officially sued by Google:
Home page of Google's lawsuit against the operators of the Glupteba botnet
Although Google claims to have destroyed the Glupteba botnet, AWM is still alive and well, although it is By frequently switching domain names.
AWM Proxy said its malware has been running on approximately 175,000 systems worldwide in the past 24 hours, of which approximately 65,000 are currently online.
AWM Agent
Recently, the administrators of RSOCKS reminded customers that services and unused balances will soon be moved to a new location.
In this crackdown on botnets, Google seemed to have destroyed Glupteba and prosecuted two suspects, but in fact, it was like fighting a cockroach. You thought you would just kill the one on the floor, but in fact , there are endless rising stars hidden under the floor.
References:
1, Disrupting the Glupteba operation
2, Awmproxy Review 2022 Cheapest Proxies With 99%+ Network Uptime
3, The Link Between AWM Proxy & the Glupteba Botnet
4, https://any.run/malware-trends/glupteba
Text by Muzi Y | anni
Hi, this is Qianhei Technology. We are all children in front of the future.
If you want to see more technology stories, please click → WeChat public account: Qianhei Technology.
