Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Researcher claims Rustock botnet author looked for Google job

According to Krebs, Microsoft has revealed a software engineer and mathematician as a possible suspect in the search for the author of the Rustock spambot – and who aspired to be hired by Google.

"In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers", he says in his latest security blog.

Webmoney has, he adds, reportedly confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin.

"Microsoft also mentioned another suspect, 'Cosma2k' possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev", notes Krebs, who claims to have been conducting his own research.

Microsoft, he says, helped to dismantle Rustock in March after a co-ordinated and well-timed 'stun' targeting the spam botnet's infrastructure, which was mainly comprised of servers based in US hosting facilities.

Two weeks after that takedown, the researcher reports that he tracked down a web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author.

As reported previously by Infosecurity, that reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators that Krebs spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin.

"By consulting a leaked database I obtained last year of the top earners for Spamit.com – at the time the world's largest rogue online pharmacy network – I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates", he reports.

The electronic breadcrumbs reportedly then led to a Spamit affiliate who used the pseudonym 'Cosma2k' with a linked email address – ger-mes@ger-mes.ru.

And the site hosting that address, Krebs notes, includes a CV with a picture of a young man holding a mug, apparently named 'Sergeev, Dmitri A.', who says 'I want to work in Google.'

Microsoft, says Krebs, seems determined to bring the Rustock malefactors to court. "Maybe the mug shot in this resume will help to identify at least one of them", he added.

What’s Hot on Infosecurity Magazine?