Russian Denies Writing SoBig Worm

IphtashuPhitz writes "The Russian spamware programmer anonymously accused eariler this week of writing the Sobig worm has responded to the accusations. Ruslan Ibragimov of Send-Safe doesn't deny that his program uses proxies to hide spammer's identities. But he totally refutes the report's technical analysis in an online interview over at OReilly Network."

I don't buy it

[Commander+Trollco]

The bit about headers is believable. But the opcode similarities are harder to defend- anyone know more about this and care to comment? He clearly has a motive, and should be lynched regardless of whether he actually wrote sobig.

Proxie Shortage

[Rob+Carr]

From the article:

"Trojans killed my business," he said, noting that many of his customers have recently migrated to "cracked" (pirated) versions of spamware programs such as Dark Mailer, for which they purchase lists of Trojaned proxies from hackers. .... Comments on Send-Safe's discussion forum appear to confirm that the company has had trouble providing users with sufficient proxies for sending spam.

There's irony in this guy's complaint, and (assuming he didn't write SoBig) at least a little justice. "My heart bleeds for the Snicker-Snack Company" - Linus (the character from "Peanuts," not the software guy)

Well, well, well,

[cavac]

so he doesn't write viruses, just unwanted bulk mail. Makes me much more comfortable. not.

"Totally refutes"???

[Zocalo]

Well let's see. Ibragimov makes a few claims such as "it's bullshit!", "it's a coincidence!" and gives a very brief outline of how SendSafe works, revealling nothing not in the report. He also claims he's not been spoken by any law enforcement agency regarding the matter, which is possibly true. Hardly a point by point rebuttal is it, and never mind the maxim "spammers lie" which means everything he says will be taken with a huge pinch of salt.

The only interesting comment I found is that his company is currently having difficulties due to trojans, something that the SendSafe forums seem to confirm. That seems quite probable, but it hardly helps his case - why, exactly, would trojans be causing his SendSafe business any problems? Unless, of course, it might be something to do with other trojans that he didn't write such as NetSky/Sasser preventing SoBig getting as many hosts as it used to? Given that there was a spat between the various trojan authors, complete with a possible Russian connection, just before Sven Jaschen was arrested that at least seems entirely plausible to me.

Re:After all this..

[jjeffrey]

The comment handling in SlashCode has always been a lot heavier to handle than the news pages. I think there is probbaly a lot more processing involved. I wonder how well optimised the SQL queires are and what the backend technology is - is it still MySQL? - UPADTEs and INSERTs are often going to be slower than SELECTs, but it may be worse if they are using MySQL in replicated mode with one master server to send all the updates too and a few slaves to do selects from. Though I guess that's unlikley with the load they get. Do they use MySQL Cluster?

Hasn't anyone else caught this obvious lie?

The bit where he talks about headers is completely stupid and it shows that even on the interview he is lying. If you read the report, they say that Send-safe and sobig's headers are in the same order, which is different from outlook. So, he's lying.

Here's the quote from the "Who wrote sobig" article:

"Although these subtle differences suggest separate source code, the similarities suggest that Send-Safe was the
template, and not other mailing programs such as Outlook, Netscape, The Bat!, or AMS.

As these other independent email tools generate their headers with very different ordering, it would seem unlikely
that the Sobig author(s) determined the email headers and values independently."

And the quote from the interview:

"But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters."

CONTRADICTION!