Infosecurity immediately contacted Dr Web for further information, but has as yet had no reply. The primary source of information remains a single statement released by the Ministry of the Interior of the Russian Federation. Although an English language version is provided, ambiguities within this translation make it difficult to be certain of of the precise details. Nevertheless, the following seems clear.
The home of an unnamed 22-year old man, known online as Hermes and Arashi, was raided by the Russian authorities. Computers, software and documents were confiscated, and analyzed with the help of Dr Web, a Russian security firm. This man has now been arrested and charged under three articles of the Criminal Code of the Russian Federation.
It appears he operated a Russian botnet with 4.5 million active bots (out of a total of around 6 million infected computers), making it the largest botnet yet discovered, and almost entirely located within the Russian Federation. Up to 100,000 new bots could be added in a single day.
The trojan used appears to be a modified version of Carberp, and was specifically directed to steal bank information. The methodology is fairly standard. “Having obtained logins, passwords and digital signatures in this way, he transferred money allegedly on behalf of citizens and organizations to accounts of shell companies. Further on, the funds were transferred to plastic card accounts and cashed in automated teller machines,” says the statement.
“Together with the accomplices, he had stolen a total of more than 150 million rubles,” it continues. This money, as is often the case with cybercriminals, was used to feed a lavish lifestyle, including a luxury house in a Russian resort, expensive foreign cars, and even investment in legal enterprises.
It also seems likely that he let third parties hire the use of his botnet. This is not unusual among botnet owners. “Moreover, for certain commission, he had provided an access to the bot-networks to multiple "Partners" within the entire territory of the Russian Federation,” says the statement.
If it is true that Dr Web contributed to the exposure of the botnet and arrest of the botherder, we can expect to hear further details as soon as the company is able to go public on its involvement.