Russian hacker behind Apple OS worm

Posted by Nick Farrell

Security expert Brian Krebs has identified the Russian hacker who made a fortune out of the poor security on Apple's operating system last year.

Despite claiming that only Windows machines suffered from malware, Apple was forced to release a software update to halt the spread of the Flashback worm last year.

More than 650,000 Mac OS X systems were  exploited because of a vulnerability in Apple's version of Java.

Flashback was the first OS X malware to be "VMware aware" and know when it was being run in a virtual environment. It also was the first to disable XProtect, OS X's built-in malware protection program. All this made it for Macs as the common as the Conficker Worm was for Windows PCs.

It could have been a lot worse. All Flashback wanted to do was redirect Google results to third-party advertisers so that the author could make a lot of dosh.  At one point he was making $10,000 a day which is nice money if you can get it.

It used a social engineering trick of presenting the OS X user with a bogus Flash Player installation prompt. Apple fanboys had been programmed to believe that they were totally safe because Apple software was totally secure. If any reporter mentioned how unsafe the OS was they received angry emails telling them that "no virus (sic) had ever been written for Apple gear."

Krebs took a year to track down the virus writer's author. He hangs out on many of the same forums as the world's top spammers and was an active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to spam.

Working under the handle Mavook he claimed responsibility for creating Flashback to a senior forum member and was seen trying to gain access to another spam/hacker site Darkode.

Mavook said that his Darkode nickname should be not be easily tied back to his BlackSEO persona, and suggests the nickname "Macbook."

He also states that he is the "Creator of Flashback botnet for Macs," and that he specializes in "finding exploits and creating bots."

Mavook gives all sorts of details about his activities, which allowed Krebs to work out who he was. He found that his webpage was registered in 2005 by a Maxim Selikhanovich in Saransk, the capital city in Mordovia.

This name was used to gain several email addresses and was registered in the now defunct Website saransk-offline.com, which at one point sold cheap MP3 files.

One of the emails used by Maxim for that Website and a related site was "troxel@yandex.ru," which was the same email used to register a now-deleted Facebook account under a Maxim Selikhanovich from Saransk.

One of the email addresses for Selikhanovich was h0mini@mail.ru and the contact for a business in Saransk called mak-rm.com, the domain name registered to a IT-outsourcing and Web design firm in Saransk called the Mordovia Outsourcing Company. That domain is registered to a "Max D. Sell" in Saransk.

The Mordovia Outsourcing Company was registered and founded by one Maxim Dmitrievich Selihanovich, a 30-year-old from Saransk, Mordovia.