I recently published a piece that examined the role of several Ukrainian men likely responsible for making and marketing the Styx Pack malware exploit kit. Today’s post will show how this same enterprise is linked to a DDoS protection scheme and a sprawling cybercrook-friendly malware scanning service that is bundled with Styx-Crypt.
As I noted in a graphic accompanying a July 8 analysis of Styx, the $3,000 exploit pack includes a built-in antivirus scanning service that employs at least 17 antivirus products. The scanning service is “anonymous,” in that it alerts Styx customers whenever one of the antivirus tool detects their malware as such, but the service also prevents the antivirus products from reporting home about the new malware detections.
When Styx customers click on one of these malware scanning reports from within the Styx pack panel itself, the full scanning results are displayed in a new browser window at the domain captain-checker[dot]com (see screenshot above). The Styx panel that I examined earlier this month was based at the Internet address 22.214.171.124, and was reachable only by appending the port number 10665 to the numeric address. At first, I thought this might be a standard port used by Styx installations but that turns out not to be the case, according to interviews with other researchers. I didn’t realize it at the time, but now I’m thinking it’s likely that the panel I examined was actually one run by the Styx Pack curators themselves.
I discovered that although captain-checker[dot]com is hosted at another address (126.96.36.199), it also had this 10665 port open. I noticed then that captain-checker shares that server with 12 other Web sites. All of those sites also respond on port 10665, each revealing a captain-checker login page. Among the 12 is uptimer[dot]biz, one of two sites that led to the identity of Alexander “Nazar” Nazarenko — one of the main marketers and sellers of Styx pack.
Not only are all of these sites on the same server, an Nmap scan of these systems shows that they all are on the same Windows workgroup — “Reality7.” This dovetails nicely with the other domain that I noted in that July 10 story as tied to Nazarenko — reality7solutions[dot]com.
Many of the other domains on the server (see graphic to the left) use some variation of the word “wizard,” and share a Google Analytics code, UA-19307857. According to SameID.net, this code is embedded in the homepage for at least 38 different Web sites.
In my previous story on Nazarenko and his Styx Pack business partner — Max “Ikar” Gavryuk — I noted that both men were advertising “Reality Guard,” a service to help protect clients from distributed denial-of-service (DDoS) attacks designed to knock sites offline. I had a closer look at their site — reality-guard[dot]com — and learned several interesting things: For starters, the site also responds with a captain-checker[dot]com login page when you append “:10665” to the domain name. It also is on a Microsoft Windows workgroup called “Reality7”. Finally, the reality-guard[dot]com home page includes an icon for virtual currency Webmoney that when hovered over pops up Nazar’s Webmoney account (someone changed the name on this account from “Nazar” to “Lives” within hours after my July 10 story on the Styx Pack purveyors).
I noted in my previous story that Ikar apparently spoke highly of and even advertised a [competing?] anti-DDoS service called antiddos[dot]biz, and I discovered something curious about the server that hosts captain-checker[dot]com and those 12 other sites: If one attempts to connect to the open FTP server at that server’s address, it allows the connection and responds with the message “Direct comments to root@antiddos”.
Who runs antiddos[dot]biz? The site and five others that share the same Google Analytics code UA-5414420 were the property of one Sergei Litvinenko, a Ukranian man who was reportedly arrested in Croatia in August 2012 for a host of alleged cyber crimes. Foreign media report that Litvinenko was sought by U.S. authorities for computer fraud worth $20 million, but initially I could find no federal charging documents that bore his name.
According to an unredacted version of this Justice Department document (PDF), Litvinenko is Defendant #20 in last year’s big Justice Department case targeting top members of carder[dot]su, at the time a major online fraud forum. According to U.S. authorities, Litvinenko – a.k.a. “Dorbik,” and “Matad0r,” sold bulletproof hosting services to hundreds of sites engaged in cybercrime activity, including carder[dot]su’s sister (and still very active) site carder[dot] pro. Below is a screen shot of Matad0r’s sales thread currently on carder[dot]pro.
If you enjoy reading these follow-the-breadcrumbs pieces, check out other stories like this one in the new KrebsOnSecurity.com content category, Breadcrumbs.