Attack leads to peek inside Viagra spam enterprise

Network of computers infected by Russian virus once generated a third of global spam

MOSCOW — For years, Igor A. Artimovich had been living in a three-room apartment he shared with his wife in St. Petersburg, sitting for long hours in front of his Lenovo laptop in his pajamas, drinking sugary coffee.

If he were known at all to Western security analysts who track the origins of spam, and in particular the ubiquitous subset of spam emails that promote male sexual enhancement products, it was only by the handle he used in Russian chat rooms, Engel.

His pleasant existence, living in obscurity, changed this summer when a court in Moscow linked Artimovich and three others with one of the world’s most prolific spambots, or illegal networks of virus-infected computers that send spam.

The ruling provided a peek into the shrouded world of the Viagra-spam industry, a multimillion-dollar illegal enterprise with tentacles stretching from Russia to India. Around the world every day, millions of people open their email inboxes to find invitations to buy Viagra or some other drug, potion or device to enhance sexual performance.

Who sends these notes and how they make money had remained a mystery to most recipients. The court put names and faces to a shadowy global network of infected computers known outside Russia as Festi and inside the country as Topol-Mailer, named after an intercontinental ballistic missile, the Topol-M. It was powerful enough to generate, at times, up to a third of all spam email messages circulating globally.

Prosecutors say Artimovich was one of two principal programmers who controlled the network of infected computers in a group that included a former signals intelligence officer in the Federal Security Service, or FSB, the successor agency to the KGB.

Once they control the virus-infected computers, they are able to use software embedded on home and business computers to send persistent emails. The owner of an infected computer usually never knows the PC has been compromised.

More often than not these days, those infected computers are in India, Brazil and other developing countries where users cannot afford virus protection. But the high-end programming of viruses often takes place in Russia.

While the business model has been well understood — it was the subject of an extensive study by the University of California, San Diego — the individuals behind one of the largest spam gangs using it have largely avoided official scrutiny, until recently.

The Tushino Court in Moscow convicted two people of designing and controlling the Festi botnet, and two others of paying for its services, but none of them specifically of distributing spam. Instead, the court convicted the group of using the Festi network in 2010 to turn thousands of browsers simultaneously to the webpage of the online payment system of Aeroflot, the Russian national airline, crashing it in what is known as a distributed denial of service attack.

The spambot problem has vexed Western law enforcement officials, who complain that the Russians ignore losses to global businesses that pay about $6 billion annually for spam filters, and to companies like Pfizer for sales lost to counterfeit pills.

Computer security experts have long been intrigued by the possibility that the Russian government has turned to so-called black hat hackers for political tasks in exchange offering protection from prosecution. But any direct evidence has been lacking, though the Festi case adds to the circumstantial evidence.

Russian authorities deny creating or turning a blind eye to botnets used to attack the websites of dissidents, or banks and government institutions in neighboring countries like Estonia or Georgia.

Valery V. Yaschenko, a deputy director of the Kremlin-linked Institute for Problems of Information Security, said the Russian government “condemns the practice of using strangers” computers for attacks, or for any reason.

For years, spam has been a very good business for Russian criminal gangs. An estimated $60 million a year is pulled in through these networks. Despite the Russian prosecutors’ victory this summer, similar networks remain active as tools for fraud and hacker attacks. Computer security experts say that suggests either the wrong men were convicted or the controlling codes were passed to somebody else.

Stefan Savage, a professor in the systems and networking group at the University of California, San Diego, studied the Festi scheme, in part by making test purchases.

The spam opened links to sites called “Canada Pharmacy” or “Canadian Pharmacy,” though they were in fact Russian-based companies that had privileges to process online payments from Visa through banks in Azerbaijan and Iceland. The sales were responsible for about a fifth of the $300 million global industry of selling fake drugs online, mostly to Americans, Savage said in an interview.

What arrived in the mail was Viagra counterfeited in India, where intellectual property rights on pharmaceutical industry products are loosely enforced. Savage tested the pills in a gas spectrometer; they were close enough chemically to real Viagra that they most likely functioned safely, and as intended, for tens of thousands of American men.

The Internet has experienced the ill effects. About 70 percent of all email sent globally is still spam, according to Symantec, the antivirus company. Most of it violates a number of American laws, including the CAN-SPAM Act of 2003, which requires unsolicited emails to have a valid return address. The Ryan Haight Online Pharmacy Consumer Protection Act of 2008, named for a teenager who died from an overdose of Vicodin bought on the Internet, outlaws online sales of drugs without a doctor’s prescription. But there are still plenty of offers coming from abroad.

For a three-month period last year, the Festi botnet was bursting with activity. It generated about a third of all global spam for those months, Paul Wood, the cybersecurity intelligence manager at Symantec, said in an interview.

Why Russian authorities allowed Festi to function for years is unclear. Russians had little incentive to invest law enforcement resources in a crime that primarily affected Americans. But the illegal computer networks like Festi that are so useful for sending spam are also capable of crashing websites by flooding them with an overwhelming numbers of visits — the distributed denial of service attacks.

It was used last year inside Russia to crash opposition websites during the presidential election. The Festi network was the tool of choice in a prominent denial of service attack on LiveJournal, one of the blog-hosting services used by Russian dissident and blogger Alexei Navalny, according to Hacker, a Russian magazine focused on cybersecurity issues.

In one of the few crackdowns, the Russian court case singled out four men: Pavel Vrublevsky, the owner of an online payment settlement business called ChronoPay, who for years has denied accusations of ties to Viagra spam schemes; Maxim Permakov, an employee of Vrublevsky and a former FSB agent; Igor Artimovich, a former employee of Sun Microsystems in Russia; and his brother Dmitry Artimovich, a freelance programmer.

All denied the charges and have said through their lawyers that they intend to appeal the sentences, which range from two to 2 1/2 years in prison, except for Permakov, who conceded his role in using Festi and cooperated with investigators in exchange for a suspended sentence.

Prosecutors argued that Igor Artimovich designed Festi. They say the executives at ChronoPay hired him to crash the Aeroflot site because they were angry at losing a tender for Aeroflot’s business.

The police say the executives asked Artimovich to settle the score. Analysts of Russian cybercrime say a line had been crossed by attacking a Russian site.

In an interview before his sentencing, Artimovich said he was working on code under contract with ChronoPay, but for an antivirus program, not a virus. He said the police planted evidence on his laptop hard drive after his arrest.

Vrublevsky, in an interview, denied any role in creating Festi and noted that in court a witness testified that the FSB, which investigated the case, had forged evidence.

Festi was not the first Russian botnet to combine pharmaceutical spam with politics. In 2007, a large-scale cyberattack was begun on Estonia, taking aim at sites of government agencies, banks and anti-Russian groups, and a futuristic North Atlantic Treaty Organization center for cyberwarfare was built in Tallinn in response. But when the center’s analysis of this attack and subsequent cyberstrikes on Georgia finally wrapped up, evidence pointed not to some similar, hushed bunker of military men somewhere in Russia, but to a server in St. Petersburg best known for its links to cybercrime, including penis-enlargement spam, and run by a hacker nicknamed Flyman.

The 2009 NATO report on the attacks on Russia’s neighbors noted pointedly of the St. Petersburg server’s suspicious activity that “the Russian authorities have remained remarkably passive in prosecuting the organization.”