Network News

X My Profile
View More Activity

Following the Money: Rogue Anti-virus Software

By its very nature, the architecture and limited rules governing the Web make it difficult to track individuals who might be involved in improper activity. Cyber-sleuths often must navigate through a maze of dead-end records, pseudonyms or anonymous corporations, usually based overseas. The success rate is fairly low.

Even if you manage to trace one link in the chain -- such as a payment processor or Web host -- the business or person involved claims that he or she was merely providing a legal service to an unknown client who turns out to be a scammer.

But every so often, subtle links between the various layers suggest a more visible role by various parties involved. This was what I found recently, when I began investigating a Web site name called innovagest2000.com.

ig2k.jpg

This Innovagest2000 domain has for at least four years now been associated with spyware and so-called "scareware," surreptitiously installed software that bombards the victim with incessant and misleading warnings that their PC is infested with malicious software. The warnings usually mimic Microsoft software or the operating system itself, and persist until the victim figures out how to remove it or pays for a license to the software.

"The product names have changed from one to another, but that innovagest2000.com domain has been associated with the rogue [software] families since it was registered in 2005," including rogue anti-virus programs, said Patrick Jordan, a senior spyware researcher for Clearwater, Fla. based Sunbelt Software.

According to a report released earlier this year by Microsoft, scareware programs are now among the top threats around the world. Microsoft found that just two rogue families, which include the Antivirus2009/2010 and XPAntivirus/AntivirusXP products, were detected on more than 1.5 million computers in the second half of 2008.

Those who purchase scareware titles -- such as Antivirus2009, Antivirus360, and AntivirusXP -- may see a "terms of use" agreement that ships with the software, which states that it was made and/or distributed by a company called Innovagest SL, and that users can get support questions answered by writing to support@innovagest.com.

Who is behind Innovagest? If you spend enough time peeling back the layers around innovagest2000.com, you find that the trail of Web site registration records leads to a large, Russian forum for operators of adult we sites called crutop.nu.

crutop.jpg

Crutop's members were by far the largest group of customers of 3fn.net, a San Jose, Calif. based Internet service provider that was knocked offline recently due to a lawsuit filed by the Federal Trade Commission. The FTC alleged that 3FN was the home of a nest of badness, including botnet control networks, child pornography Web sites, as well as a large number of sites promoting rogue anti-virus products and illegal online pharmacies.

Crutop, 9,500 member-strong, also was hosted at 3FN, and was named in the FTC's action. The FTC called Crutop a place "where criminals share techniques and strategies with one another," and a Russian language Web site "that features a variety of discussion forums that focus on making money from spam."

Further digging indicates that Crutop is linked to the operations of Chronopay, an online payment processor based in the Netherlands that has come under fire from security researchers for processing payments for a large number of Web sites hawking scareware. For example, Russian computer security firm Kasperksy Lab told Security Fix that as recently as July 9 it was tracking at least 25 different rogue anti-virus products that use Chronopay for payments.

chrono.jpg

Chronopay provides small businesses with the ability to take credit cards without having to have their own merchant account. On its Web site, Chronopay says it specializes in providing payment processing to high-risk sites, including adult, online pharmacy, and gambling Web sites.

What makes this case unusual is that Chronopay is an apparently above-board company that claims to have backing from banks such as ING, and to have just opened a regional office in Florida.

Chronopay's founder said the company's services are merely being abused by criminals, and that it has done nothing wrong.

Reached via phone in Moscow, Chronopay's founder, Pavel Vrublevsky, vehemently denied any knowledge of or association with any of the Web sites mentioned in this blog post aside from Chronopay.

"I am 100 percent the CEO of Chronopay, and I have absolutely nothing to do with these," he said. Vrublevsky maintains, however, that he has made some enemies of people in high places of power within Russia, and that they may have been trying to associate his name with these enterprises to besmirch his image and that of his company.

Vrublevsky did say that several merchants of Chronopay have been terminated recently for selling rogue anti-virus and generating an enormous number of chargebacks from consumers. But he said those chargebacks don't usually show up until three to four months after a rogue merchant starts doing business with Chronopay.

Indeed, rogue anti-virus vendors have favored Chronopay's service quite a bit over the last year.

In June, Joe Stewart, director of malware research at SecureWorks, an Atlanta-based computer security firm, published research showing that Chronopay was the processor for sites pushing rogue anti-virus product "Malware Doctor," a scareware title commonly installed by "Virut," one of the Web's most prolific computer viruses.

In October 2008, Stewart found that when he purchased a copy of rogue product AntivirusXP, that the charge appeared on his credit card statement as CHRpay.com, one of the Web sites owned by Chronopay. A Google search on that domain shows page after page of complaints from people who were tricked into paying for rogue anti-virus and anti-spyware software.

Stewart also found that the installer for that rogue anti-virus program was constructed so that it would not install on systems where the would-be victim had recently visited one of nearly a dozen Web sites. One of those sites was crutop.nu.

"It's hard to say whether they're just happy to take the money, or whether they're driving this type of activity," Stewart said. "But they've been at this for a long time, and we've seen over and over again Chronopay providing payment services for these rogue anti-virus sites."

How are Innovagest2000.com, Crutop.nu, and Chronopay.com linked? Read on after the jump to find out.

Shortly after Crutop was knocked offline by the disconnection of 3fn.net, the administrators of Crutop found new hosting and replaced their home page with a lengthy response to the FTC's allegations that Crutop was a forum dedicated to facilitating cyber crime and spam. In their response to the FTC, the anonymous administrators of Crutop argued that the site prohibits spam on its forums, and that the FTC misunderstood that the Crutop sub-forum titled "Spam" was little more than a joke.

crubk.jpg

Crutop's response also mentioned the Security Fix author by name: "And in conclusion we would like to add, that while paragraph 1 of our rules has never been taken seriously before and was written as a joke, but related to recent events we would like to know how it was possible that five (5!) reputable experts-agents (including NASA experts and Mr. Brian Krebs) from USA (where every 10th person speaks Russian, source: Wikipedia), could not figure out that on Crutop.nu in the SPAM sub-forum discussions have nothing to do with mail spam or other cyber-crimes?"

This got my attention because I have never mentioned Crutop in any of my stories. But I have done a little digging to see if I could find a bit more about who runs this forum.

All indications are that the innovagest2000.com domain referenced as a support Web site in dozens of rogue anti-virus products over the past several years was registered by the co-founders of Crutop.

Running a WHOIS search on innovagest2000.com reveals two e-mail addresses: barmaley@mail-eye.com, and r00t@mail-eye.com. Conducting a similar search on mail-eye.com shows the domain is registered to a RED and Partners B.V., with an address in the Netherlands.

Strawinskylaan 1443
Amsterdam
1077 XX
Phone: +31.207940110
Fax: +31.207940120

In their response to the FTC, Crutop administrators directed readers to a page on the forum called "nospam.html," which lists the contact information for the Crutop forum leaders as:

RED & Partners Group
red@mail-eye.com
http://www.re-partners.biz/

redpartners.jpg

A WHOIS lookup on the official Web site for RED and Partners B.V. - re-partners.biz - returned the barmaley@mail-eye.com e-mail contact, as well as the same address, phone and fax number as the mail-eye.com domain. The contact page at re-partners.biz lists the same information, along with the red@mail-eye.com address.

Of the 9,500 registered users on Crutop, the very first and second users who registered on the forum back in 2000 picked the nicknames "Barmaley" and "Redeye."

Interestingly, the contact information for RED & Partners Group and its Web site are the same as that listed for Chronopay in its Web site registration records. What's more, the numeric Internet address used by both re-partners.biz and crutop.nu are addresses assigned by European Internet address space authorities to Chronopay LLC.

crusourceGA.JPG

Chronopay, on the "contact" portion of its Web site, lists the exact same address, phone and fax number as listed on re-partners.biz. In addition, both Chronopay.com and re-partners.biz share the same domain name servers: ns1.dns-eye.com.

Perhaps the strongest piece of evidence linking Crutop to Chronopay is provided by Google. If you view the HTML source code on Chronopay's home page, you will find at the bottom an account number used by Google Analytics to track visitors to Chronpay. That account number -- "UA-630887" - is the same Google Analytics account number that is present in the HTML source from the homepage of Crutop.

chronosourceGA.JPG

I followed up with Chronopay regarding the Google Analytics connection, and received a reply from Kirill Vorobyev, the company's public relations manager. Vorobyev said the company suspects that a former employee in charge of online marketing at Chronopay may have been responsible for setting up the Google Analytics accounts.

"Now it [is] clear for us why our company received so many negative responses. We have suspected for a long time that it is one of our former employees," Vorobyev wrote to Security Fix. "We declare, however, that Chronopay doesn't have anything to do with a portal crutop.nu company, though we cannot guarantee it concerning our employees."

By Brian Krebs  |  July 31, 2009; 1:13 PM ET
Categories:  Cyber Justice , Fraud , Safety Tips , Web Fraud 2.0  | Tags: 3fn rogue antivirus, chronopay, crutop  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Critical Update for Adobe Flash Player
Next: Security Updates for iPhone, Adobe Reader

Comments

Mr. Vorobyev has the hallmarks of man confident of political protection, which guarantees freedom from local law enforcement.

Posted by: featheredge99 | July 31, 2009 1:43 PM | Report abuse

FYI, as of now, most of the domains mentioned in this article, including Chronopay, are no longer reachable online.

Posted by: BTKrebs | July 31, 2009 2:37 PM | Report abuse

Nope those crooks are still online
https://secure.chronopay.com/cs/index.htm

Posted by: rjohnson2842 | July 31, 2009 2:48 PM | Report abuse

Brian, you might want to check out Panda's recent report on the rogueware economy, which they published on Wednesday: http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf

Posted by: bill93 | July 31, 2009 4:15 PM | Report abuse

Nice Article. Love the investigative reporting. Did you figure out why they named you as someone who mentioned them?

Posted by: dward__ | July 31, 2009 4:56 PM | Report abuse

Brian,
Haw can you spoil even a correct info :) "an account number used by Google Analytics to track advertising referrals so that Chronpay can get paid when people browsing the site click on Google ads at Chronopay.com." :) If you pose as an expert - could you learn the difference between Google AdSense and Google Analytics?
Your energy and your best effort (yeah, I have to admit it) really need some knowledge. A little bit more than skill of checking domain name owners, you know.
Btw, I was rude on you. It was emotional. After all – I had real reasons to be emotional :)

Posted by: tersuren | July 31, 2009 6:59 PM | Report abuse

:) the tip of the iceberg...

Pavel Vrublevsky, or RedEye, is the only one actor in our nominees list who is still at large and is still executing his numerous business schemes that bring him fortunes. With a background of an average fraudster he plays the role of a reputable entrepreneur via its new company known today as ChronoPay.

RedEye made the first move towards his capital by creating a disgusting site Pornocruto.es, the content of which shocks even adults. Within a few months that affiliate program has boosted the funds in the accounts of Pavel Vrublevsky. However, RedEye understood that he needed to gather all potential customers in one place. And the task was to make it so that people come to Vrublevsky themselves. The solution was found very quickly. He has created a forum Crutop.nu, a community that has joined all those who cashed on gay porn, child porno, rape porn, zoo porn, necro porn, freak porn and other similar niches.

The most infamous project of RedEye that scammed even the Internet scammers and violators themselves was Fethard.biz, the first financial services project launched by Pavel. As we already wrote, RedEye was providing the services highly demanded by the webmasters worldwide. Everybody understood that fethard was conducting its transactions via the offshore banks without granting any guarantees of funds security. RedEye tried to capitalize on everything. Some people know the story when Pavel Vrublevsky, under the guise of common users, on one famous carder forum was selling some Fethard accounts and allowed to receive big amounts from accounts in the system. Certainly such offers had interested dozens of carders (people stealing credit card numbers) on carderplanet.com. Having sold the accounts with a good rating in his own system, RedEye has locked them.

In September 2007 Fethard blocked accounts of its users. Numerous businesses mostly illegal suffered big losses. RedEye made multiple promises in October 2007 that the new system will be introduced while the old accounts will be unblocked. But in fact new accounts were used to pay off for old debts and after it on March 2008 the system closed for good and all.

Webmasters lost 25 million dollars. Who collected 25 million dollars ? :)))

Posted by: PlatinumMike | July 31, 2009 8:09 PM | Report abuse

And what of Malwarebytes BOT ---- ouch. The only good thing is if you catch the mistake real quick, the program you were most likely looking for, Malwarebytes Antimalware gets rid of Malwarebytes Bot.

Posted by: brucerealtor@gmail.com | August 1, 2009 7:08 AM | Report abuse

Brian, thanks for once again writing about the «scareware» menace ! These scams are calculated to frighten the most vulnerable - elderly persons with no computer experience - who, naturally enough, are worried that their new machines have been «infected». And thanks for the research you perform, following the paths traced by these shadowy figures 'round our wired world....

Henri

Posted by: mhenriday | August 1, 2009 12:00 PM | Report abuse

There's nothing wrong with 'elderly persons with no computer experience' thinking they've been infected. They have been by the time they get the popups! The Panda report also says they find trojans on about 98% of all computers they scan. Presumably they only scan Windows boxen (natch) but think how that figure is.

The real crime is that people don't tell these 'elderly persons with no computer experience' what to do before they purchase, before it's too late. Unix isn't more difficult - it's easier. Nothing compares with the burdens of keeping a hopeless Windows box up to date.

Nothing much compares with the danger of it either. Just going to these sad forums where people talk about how they're infected and they can't get the trojans off - what's the matter with them? Why don't they wake up? When will they wake up?

Posted by: Rixstep | August 2, 2009 12:20 AM | Report abuse

Very nice article indeed, thanks Brian. I particularly liked Crutop's response - so anybody able to read Russian should be able to recognize that they are not involved in illegal activity? I had a brief look at the forum. Even if you don't read the locked forums (I guess that you need to be registered for that), it is obvious from the discussion in the others that the tactics discussed are illegal - and the participants are well aware of that. There is even a (locked) hall of shame for those who "steal from their own" (which is probably why the software you mentioned didn't want to install for people who visited Crutop). I wonder who they meant to deceive with this response.

Posted by: WladimirPalant | August 3, 2009 3:30 AM | Report abuse

And thus, indirectly associated with Conficker too:

http://www.symantec.com/connect/blogs/downadup-motivations

Posted by: anonwashpost | August 3, 2009 9:15 AM | Report abuse

Great Article Brian. But let's face it, the real threat comes from people like DirtyBuccaneer99. I for one am glad this guy is off the street!
;)
http://www.youtube.com/watch?v=gVHhuTUp_30
Ashley

Posted by: aashley1 | August 3, 2009 12:31 PM | Report abuse

Brian, you're the most valuable reporter at WaPo. Great, great stuff. Your hard work _should_ be a lesson to your peers.

Posted by: gbooksdc | August 7, 2009 10:27 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company