Wednesday, March 18, 2009

Carders do battle through spam -

We've seen several cases in the past where Law Enforcement action is triggered by one criminal actively and publicly spreading information (or mis-information) about another criminal's activities.

That seems to be the case in what is happening now, as a spammer is using an existing spam botnet to send messages about the Russian credit card trading site "".

Beginning on the afternoon of March 16th, the UAB Spam Data Mine began to receive copies of this email message:

So far we have 142 copies of this email, which came from 138 different email addresses, and were sent to 122 of our unique trap accounts. The emails had 13 different subject lines, but were otherwise the same:

Carders attack
Carders here
Carders online
Carders threat
Hazardous site
How is it possible?
Sale Data
Stolen bank accounts
Stolen credit cards
Stolen data
Terrible site
The threat of credit card
Where is the police?

There were also 132 unique IP addresses in the email headers, corresponding to the 132 bot machines which were used to send us this spam. It would be interesting to know what other spam is coming from these same bot machines. Fortunately, when you have a Spam Data Mine sitting around, that's a pretty simple query to make.

(Full list of IPs at the end of this article . . . if you recognize the botnet please let me know.)

Unfortunately, some IP addresses are less helpful than others . . . is it valid to say that these emails came from the same botnet, for example, when we haven't seen other email from them since October?

Emails from (in Poland):

Date Email Subject
2008AUG10 | debt consolidation calculator
2008AUG13 | loans for debt consolidation
2008AUG15 | debt consolidation loans
2008AUG21 | unsecured debt consolidation loans
2008AUG31 | credit check
2008SEP06 | a debt consolidation loan
2008SEP06 | debt busters
2008SEP06 | debt consolidation advice
2008SEP09 | profit debt consolidation
2008SEP25 | clear debt
2008SEP29 | help me get out of debt
2008OCT01 | credit cards debt
2008OCT15 | help to get out of debt
2008OCT26 | horses for loan
2008OCT29 | student loan debt

Or these from (in Russia)

Date | Email Subject
2008APR30 | Greetings, I have learned an interesting thing
2008MAY06 | Merrill Lynch Business Centre - Changing a website

The next one is far more useful, because although it shows a long history of spam from the computer at (in India), it also has spam from two weeks ago, which we know by the subject is a sign of a Waledac infected computer.

message_id | subject
2008OCT04 | Hi! I wanna chat with you!
2008DEC08 | Watches
2008DEC13 | Hi sweety
2008DEC26 | Swiss Branded Watches
2009JAN01 | Swiss Branded Watches
2009JAN04 | Don't settle for less
2009JAN03 | Swiss Branded Watches
2009JAN04 | Swiss Branded Watches
2009JAN05 | Swiss Branded Watches
2009JAN06 | Attention: Important Information!
2009JAN08 | Re: Miley loves it huge
2009JAN16 | Swiss Branded Watches
2009JAN24 | Pharmacy Discount for (email)
2009JAN21 | Russian queens are waiting.
2009JAN30 | Turn your bedroom life into a volcano of pleasure.
2009FEB05 | Add floors to your skyscraper special offer for (email)
2009FEB14 | Facing a love-making problem? We will solve all yout problems in few minutes.
2009FEB17 | Have you heard about Viagra for women?
2009FEB27 | Pharma Discount for
2009MAR02 | Regards The day of Love
2009MAR06 | Regards The day of Love

Unfortunately, that was the only machine in our pool which seemed to be a Waledac box. Another coincidence only.

While many of the 132 computers were to be found sending other spam in the UAB Spam Data Mine, there were not enough which sent recent spam to draw any definite conclusions on the botnet.

Limiting our interest only to the most recent spam from the pool of IP addresses, we find that recently spammed sites from the same criminal include: - an illegal movie download site listing this contact information:

Tel: +7 (495) 504-14-43
ICQ: 431409065

As well as the Viagra-selling site, US HealthCare Inc, hosted in Korea and using the domain names:

A second set of recent Viagra sites, Canadian Healthcare, used Chinese auto-forwarding URLs in their spam, such as:

which forwarded to the Israeli hosted website:

A third set of pills was available from this Canadian Pharmacy website:

What about

What do we actually know about Not a whole lot truthfully. We know its a popular site - at its max there were more than 14,000 members logged in at the same time.

The WHOIS information for the domain says it is registered to "Private Person", but does give a phone number and an email address:

phone: +79164541122

A peek back at the WHOIS history shows it was originally registered by:

Maria A Ageeva

From at least November 20, 2009 until March 10, 2009, "Private Person" used a gmail account of:

Their servers are hosted in Moscow on the network, owned by Pavel Ivanov.
Ivanov has many interesting customers on his network Fine folks like: (black card?)

I have to say, the folks have suspended some of the porn sites that drop malware, so maybe they only cater to certain types of criminals. "" and "" were suspended for dropping malware, as was ""

Do you recognize this botnet?

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.