The Flashback trojan that affected at its peak hundreds of thousands of Macs was one of the biggest attacks to OS X in its lifetime. Now though, reporter Brian Krebs led his own investigation to find the creator, and it seems he was successful.
All the leads point to a 30 year Russian from Saransk, Mordovia called Maxim Selikhanovich. In Krebs’s excellent article, he details the entire process he went through to find the perpetrator, and it really is a model for forensic investigation.
Given Flashback’s focus on gaming Google’s ad networks, I suspected that the worm’s author probably was a key member of forums that focus on so-called “black hat SEO,” (search engine optimization), or learned in illicit ways to game search engines and manipulate ad revenues. Sure enough, this individual happens to be a very active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to this topic.
If we take a closer look at Mavook’s profile page on BlackSEO.com, we can see that he is a longtime member, dating back to 2005, when he was the 24th member registered on BlackSEO (out of thousands). Mavook’s profile also shows that his personal home page was at one time mavook.com. The WHOIS registration records for mavook.com have long been hidden by commercial WHOIS privacy protection services, but I found the original WHOIS record for this domain using the indispensable historic WHOIS service maintained by domaintools.com. Those records show that the domain was originally registered in 2005 by a Maxim Selikhanovich in Saransk, the capital city in Mordovia, a republic in the eastern region of the East European Plain of Russia.
The final clue offers perhaps the most tantalizing details: The email@example.com address is the contact point of record for a business in Saransk called mak-rm.com, the domain name registered to a IT-outsourcing and Web design firm in Saransk called the Mordovia Outsourcing Company (the “mak” part of the name comes from the Russian version of the company name, which is “МОРДОВСКАЯ АУТСОРСИНГОВАЯ КОМПАНИЯ”). That domain is registered to a “Max D. Sell” in Saransk (see a cached image from mak-rm.com’s homepage in 2010 at the Internet Archive).
According to a trusted source who has the ability to look up tax information on citizens and corporations in Russia, the Mordovia Outsourcing Company was registered and founded by one Maxim Dmitrievich Selihanovich, a 30-year-old from Saransk, Mordovia.
It’s amazing what one Russian can do sitting at a computer in a region of Russia that sounds more worthy of Lord of the Rings than anything else. I recommend checking out the full article, as it’s a good read.