Related Links

  • Krebs on Security
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories


Researcher claims Rustock botnet author looked for Google job

02 June 2011

Security researcher Brian Krebs has made the interesting assertion that the suspected Rustock botnet creator has been looking for a job with Google.

According to Krebs, Microsoft has revealed a software engineer and mathematician as a possible suspect in the search for the author of the Rustock spambot – and who aspired to be hired by Google.

"In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers", he says in his latest security blog.

Webmoney has, he adds, reportedly confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin.

"Microsoft also mentioned another suspect, 'Cosma2k' possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev", notes Krebs, who claims to have been conducting his own research.

Microsoft, he says, helped to dismantle Rustock in March after a co-ordinated and well-timed 'stun' targeting the spam botnet's infrastructure, which was mainly comprised of servers based in US hosting facilities.

Two weeks after that takedown, the researcher reports that he tracked down a web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author.

As reported previously by Infosecurity, that reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators that Krebs spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin.

"By consulting a leaked database I obtained last year of the top earners for – at the time the world's largest rogue online pharmacy network – I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates", he reports.

The electronic breadcrumbs reportedly then led to a Spamit affiliate who used the pseudonym 'Cosma2k' with a linked email address –

And the site hosting that address, Krebs notes, includes a CV with a picture of a young man holding a mug, apparently named 'Sergeev, Dmitri A.', who says 'I want to work in Google.'

Microsoft, says Krebs, seems determined to bring the Rustock malefactors to court. "Maybe the mug shot in this resume will help to identify at least one of them", he added.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×