{"id":21074,"date":"2023-01-24T16:17:10","date_gmt":"2023-01-25T00:17:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/01\/24\/news-14807\/"},"modified":"2023-01-24T16:17:10","modified_gmt":"2023-01-25T00:17:10","slug":"news-14807","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/01\/24\/news-14807\/","title":{"rendered":"Administrator of RSOCKS Proxy Botnet Pleads Guilty"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Tue, 24 Jan 2023 19:00:32 +0000<\/strong><\/p>\n

Denis Emelyantsev<\/strong>, a 36-year-old Russian man accused of running a massive botnet called RSOCKS<\/strong> that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, \u201cAmerica is looking for me because I have enormous information and they need it.\u201d<\/p>\n

\"\"<\/p>\n

A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.<\/p>\n<\/div>\n

First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront<\/a> for hacked computers that were sold as \u201cproxies\u201d to cybercriminals looking for ways to route their Web traffic through someone else\u2019s device.<\/p>\n

Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.<\/p>\n

Many of the infected systems were Internet of Things (IoT) devices<\/a>, including industrial control systems, time clocks, routers, audio\/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.<\/p>\n

In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet<\/a>. But that action did not name any defendants.<\/p>\n

Inspired by that takedown, KrebsOnSecurity followed clues<\/a> from the RSOCKS botnet master\u2019s identity on the cybercrime forums to Emelyantsev\u2019s personal blog<\/a>, where he went by the name Denis Kloster<\/strong>. The blog featured musings on the challenges of running a company that sells \u201csecurity and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees<\/a>.<\/p>\n

“Thanks to you, we are now developing in the field of information security and anonymity!,\u201d Kloster\u2019s blog enthused. \u201cWe make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don\u2019t just work together and we\u2019re not just friends, we\u2019re Family.\u201d<\/p>\n

But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities<\/a> responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.<\/p>\n

\u201cI have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,\u201d Emelyantsev told<\/a> the Bulgarian court. \u201cI am not a criminal and I will prove it in an American court.\u201d<\/span><\/p>\n

\"\"<\/p>\n

RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.<\/p>\n<\/div>\n

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player<\/a> in the Russian email spam industry for more than a decade.<\/p>\n

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot<\/strong>\u00a0spam forum. RUSdot is the successor forum to\u00a0Spamdot<\/strong>, a far more secretive and restricted community where most of the world\u2019s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010<\/a>.<\/p>\n

\"\"<\/p>\n

A Google-translated version of the Rusdot spam forum.<\/p>\n<\/div>\n

Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server<\/strong>.”<\/p>\n

Email spam \u2014 and in particular malicious email sent via compromised computers \u2014 is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia\u2019s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.<\/p>\n

It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.<\/p>\n

Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Tue, 24 Jan 2023 19:00:32 +0000<\/strong><\/p>\n

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, \u201cAmerica is looking for me because I have enormous information and they need it.\u201d<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[16740,16695,27578,10495,28439,16696,26650,27580,26651,28440,23475],"class_list":["post-21074","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-a-little-sunshine","tag-breadcrumbs","tag-denis-emelyantsev","tag-iot","tag-iot-botnets","tag-neer-do-well-news","tag-rsocks-botnet","tag-rsocks-proxy","tag-rusdot","tag-rusdot-socks-server","tag-spamdot"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21074"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21074\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}