The Gang Behind the World's Largest Spam Botnet

← Back to Stories (view on slashdot.org)

The Gang Behind the World's Largest Spam Botnet

Posted by samzenpus on Thursday February 2, 2012 @01:05AM from the who's-to-blame dept.

tsu doh nimh writes "A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. Brian Krebs uncovers fascinating information about a hacker named 'GeRa' who is supposedly behind the Grum botnet, which is currently sending about one out of every three spam emails worldwide. The story also points to several possible real-identities behind the Internet's largest spam machine."

58 comments

Min score:

Reason:

Sort:

Priorities by SJHillman · 2012-02-02 01:12 · Score: 5, Insightful

MegaUpload: Some people love it, some people hate it. Most of their damage (much of it alleged) is limited to a single industry and affects a tiny percentage of their bottom line
Global Botnets: Universally hated with very real damage caused in terms of time spent, infrastructure upgrades, spam filtering, etc, plus I'm sure a lot of that spam is also used for phishing and other activities that cause further damage. It affects pretty much every company and individual with any sort of online presence. I don't have any numbers, but I imagine the cost of spam botnets cause damage that's at least an order of magnitude greater than what copyright infringement is even claimed to be (nevermind the smaller amount it actually is).
But hey, glad we took down the one that also served legal uses.
1. Re:Priorities by SuricouRaven · 2012-02-02 01:17 · Score: 4, Insightful
  
  It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website. Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable. Where is the megaupload-style international police operation to shut that down? Instead we have a bunch of vigilantee hackers, hardly an ideal solution.
2. Re:Priorities by shentino · 2012-02-02 01:22 · Score: 3, Insightful
  
  My guess is that the credit card companies that are collecting processing fees for the actual purchases don't mind the extra business.
3. Re:Priorities by Anonymous Coward · 2012-02-02 01:23 · Score: 1
  
  Also, since if people are buying stuff through it means there should be a money trail to follow...
4. Re:Priorities by Aighearach · 2012-02-02 01:24 · Score: 1, Insightful
  
  the problem is that the scams can use ad-hoc resources cobbled together from infected systems, there is no need to have a permanent domain. People don't need to get their by searching, the spam provides them a link. So shut down the server. Just be aware the server's legal operator wasn't involved and now their sites are down. And the scammers failed-over to the next batch of infected systems.
5. Re:Priorities by PopeRatzo · 2012-02-02 01:28 · Score: 2, Insightful
  
  Also, since if people are buying stuff through it means there should be a money trail to follow...
  And who wants to bet that the money trail would lead to places and people that the "enforcers" would rather we not know?
  
  --
  You are welcome on my lawn.
6. Re:Priorities by Peter+Simpson · 2012-02-02 01:30 · Score: 4, Insightful
  
  Yeah. You know, if the CC companies *really* wanted to shut these guys down, it seems like they could do it by identifying the stream of transactions that trace back to one or two payment processors in their network. But there's money involved, so I guess that's not going to happen.
7. Re:Priorities by KiloByte · 2012-02-02 01:31 · Score: 4, Insightful
  
  Spammers can use flux hosting for their websites so this part is not easy to target. Accepting payment, though, is something that's trivial to block -- if there was any will to do so.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
8. Re:Priorities by Hentes · 2012-02-02 01:37 · Score: 5, Insightful
  
  So next time a company will spam in the name of a rival, thus baiting authorities to take it down. Just because they are the ones advertised is no proof that they ordered the advertisement and if they did that they know that it's being achieved by illegal spam.
9. Re:Priorities by Anonymous Coward · 2012-02-02 01:41 · Score: 0, Insightful
  
  It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website.
  More than that: it's not just promoting a website, but trying to sell something, so follow the money.
10. Re:Priorities by slart42 · 2012-02-02 01:41 · Score: 2
  
  Problem with that is that I'd be able to get any web site taken down by paying people to send around a little spam linking to it :)
11. Re:Priorities by somersault · 2012-02-02 01:46 · Score: 2, Interesting
  
  time spent, infrastructure upgrades, spam filtering, etc
  I of course hate spam, but that type of stuff does keep a lot of Slashdotters employed.
  Good job on being spectacularly biased and imagining up all those useful pieces of information to back up your viewpoint.
  
  --
  which is totally what she said
12. Re:Priorities by Zocalo · 2012-02-02 01:47 · Score: 5, Insightful
  
  Chances are the website is also hosted on the botnet, thousands of times over, across possibly as many domains and sub-domains. The spammers can then use Fast Flux DNS to cycle between random selections of hosts every few minutes or so. That means you need to take out the C&C servers to take down the website(s) as well, and even then there's no reason that the bots could not keep on operating in autopilot while the operators try to regain control.
  
  Realistically, there is only one way to stop spam and that's to disrupt the money flow between the people that buy products from spam and the spammers to such an extent that it is no longer profitable. That's certainly not going to be easy, but for all its faults SOPA would have provided some of the necessary muscle needed to force Mastercard and Visa to try and prevent payments to known spam operators through its provisions to block financial flow to such sites (it's potential use for preventing sales of fake Viagra is why Pfizer is on the SOPA supporter's list). Another avenue of attack is blacklisting banks that can be shown to be processing spam related payments, especially since research has shown that there may only be a handful of banks prepared to deal with spammers in the first place.
  
  --
  UNIX? They're not even circumcised! Savages!
13. Re:Priorities by __aaltlg1547 · 2012-02-02 01:53 · Score: 2
  
  So you follow the money trail back one or two steps further to the guy that accepted money to send the spam and the operators of the botnet.
  It's not that hard. The government knows how to do this. It's just not a high priority.
14. Re:Priorities by mapkinase · 2012-02-02 01:55 · Score: 1
  
  >But hey, glad we took down the one that also served legal uses.
  Same comparison could be made between action taken by US against drug cartels and Taliban, al-Shabaab, etc.
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
15. Re:Priorities by Pope · 2012-02-02 02:02 · Score: 1
  
  False equivalence, rear your head!
  
  --
  It doesn't mean much now, it's built for the future.
16. Re:Priorities by Anonymous Coward · 2012-02-02 02:09 · Score: 2, Interesting
  
  Oh yeah, sure. It'd be about as easy as blocking payment to some other really damaging websites such as wikileaks. /sarcasm
17. Re:Priorities by EXrider · 2012-02-02 02:32 · Score: 2
  
  Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.
  Probably because zombie machines on the botnet are the ones hosting the website(s).
  
  --
  grep -iw skynet /etc/services
18. Re:Priorities by Splodgey · 2012-02-02 02:38 · Score: 4, Funny
  
  Destroying this botnet could have detrimental effects on men with tiny penises worldwide!
  
  --
  Sigs are for losers....oh wait...damnit
19. Re:Priorities by houghi · 2012-02-02 02:42 · Score: 1
  
  Unfortunately not as trivial as it sounds.
  A good step would be that the USofA starts using the chipset, like the rest of the world does. This would already help a LOT with stolen cards.
  It is not as if they would say: please transfer X amount from creditcard Y to my own account. What they do is a bit more complex. They are pretty good in hiding sales under the radar.
  A way would be to verify each sale by an SMS or any other means. This will be extremely inconvenient for the user.
  As with DRM, it will harm the good user more then the bad user.
  
  --
  Don't fight for your country, if your country does not fight for you.
20. Re:Priorities by Sponge+Bath · 2012-02-02 02:45 · Score: 1
  
  I feel your pain. The unbalanced allocation of resources mirrors so many policy decisions, from law enforcement to military involvement. If we could just use /. polls to drive these decisions, spammers would experience the same wake up call as the Somalis who took those aid workers hostage.
21. Re:Priorities by GameboyRMH · 2012-02-02 02:52 · Score: 2
  
  Unless those processing fees are from donating money to a leak site. That money's no good.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
22. Re:Priorities by kryliss · 2012-02-02 02:53 · Score: 1
  
  The reason something like this doesn't get shut down is because companies spend money to get rid of the problem, money spent is taxable, more money spent, more taxes paid.... then the next version of spam/virus/malware/etc... more money spent, more taxes paid... rinse and repeat.
  
  --
  --- If the bible proves the existence of God, then Superman comics prove the existence of Superman.
23. Re:Priorities by alaffin · 2012-02-02 03:03 · Score: 2
  
  I guess, by your logic, we should bother to try and take down Global Botnets either because there are rapists and murderers out there who have yet to be caught. Obviously we have our priorities mixed up.
  Leaving aside the whole "MegaUpload was a legitimate business" argument it's likely a matter of low hanging fruit. Shutting down a botnet is difficult. It's comand and control structures are usually obfuscated and redundant. It's operators are (usually) bright enough to cover their tracks. Innocent people/businesses are likely to get caught in the crossfire as their zombified PC's are often used to host significant portions of the systems. To say nothing of the fact that law enforcement agencies usually do not want to shine a light too directly at botnets - the cockroaches that run them tend to scatter to their hidey-holes rather quickly. Better rather to invest large amounts of time and effort to bring the thing down properly, so that there is a case against it's organizers. MegaUpload, on the other hand, was a business. Its location was known. Its infrastructure was known. Its CEO was known. No innovent bystanders. No way to hide.
  Now I'm with you. I think it was wrong to bring down MegaUpload. But don't criticize law enforcement agencies for, upon deciding that MegaUpload was in violation of the law, taking it down swiftly.
24. Re:Priorities by Anonymous Coward · 2012-02-02 03:09 · Score: 0
  
  That is the broken window fallacy. You *COULD* be working on other things that are more productive then making sure your CEO doesnt get spam...
25. Re:Priorities by somersault · 2012-02-02 03:57 · Score: 1
  
  I was just trying to inject some grey into that guy's black and white garbage. He's completely off base anyway, because several botnets have been taken down by authorities.
  I'm not saying we shouldn't take down botnets - go for it, by all means! We'll never be able to eradicate it completely though, so we might as well appreciate the good that comes from it instead of just whining about the bad. It's the same as all those people who point out that piracy can actually get you some sales that you otherwise wouldn't have had.
  It's kind of sad that he's so happy to break the law himself, and yet when some other guys are breaking the law in a way that inconveniences himself, suddenly he's up on his high horse as if he's any less of a leech than they are.
  
  --
  which is totally what she said
26. Re:Priorities by somersault · 2012-02-02 04:08 · Score: 1
  
  If he was talking about copyright, he'd be doing the same by pointing out how piracy can be beneficial in some ways.
  I'm not one of the ones who would want to keep spam around. I was simply pointing out that it doesn't only do "damage" because his levels or bias and hypocrisy are absurd.
  
  --
  which is totally what she said
27. Re:Priorities by GPLHost-Thomas · 2012-02-02 04:53 · Score: 2
  
  Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.
  It's more on the line of: remove the website - which isn't easy because it's most of the time hosted by a company that is accomplice - and another one pops up in a mater of hours.
28. Re:Priorities by oh-dark-thirty · 2012-02-02 04:54 · Score: 2
  
  I've been saying that to anyone that cared to listen for years. As long as Visa/MC/the banks/processors get their cuts and the chargeback level stays low, they do not care who or what is transacting.
29. Re:Priorities by Anonymous Coward · 2012-02-02 05:11 · Score: 1
  
  Good job on being spectacularly biased
  So your point is that killing keeps many detectives, coroners, and funerary home employees working. So it's good.
30. Re:Priorities by repapetilto · 2012-02-02 05:14 · Score: 1
  
  Broken window fallacy is not the same as people buying your stuff after downloading it first. Where do you people come from?
31. Re:Priorities by repapetilto · 2012-02-02 05:21 · Score: 1
  
  Oh my god you've repeated this twice now. People buying something after trying it for free has nothing to do with the broken window fallacy.
32. Re:Priorities by PapayaSF · 2012-02-02 05:54 · Score: 1
  
  Still, aren't the CC companies and banks the weak point in spam operations? Surely the government would be able to lean on them even harder than they can lean on some foreign ISP regarding a website.
  But every time I read about spammers like this, I think of the rubber stamp from the movie Top Secret!.
  
  --
  Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
33. Re:Priorities by Em+Adespoton · 2012-02-02 07:01 · Score: 1
  
  For more information:
  http://scholar.google.com/scholar?hl=en&q=related:mBwQLdGHFCUJ:scholar.google.com/&ei=WdwqT6PyBsOviQKsyfjGCg&sa=X&oi=science_links&ct=sl-related&resnum=1&ved=0CC4QzwIwAA
  This will tell you all you need to know about why it hasn't been done, direct from the experts in the field.
  Short form: the Russians aren't about to take down a "legit pharmacy" just because of abuse of "referral programs".
34. Re:Priorities by somersault · 2012-02-02 22:01 · Score: 1
  
  I take it you don't understand analogies either?
  
  --
  which is totally what she said
35. Re:Priorities by somersault · 2012-02-02 22:06 · Score: 1
  
  On a moral scale it's not good. On an economic scale, it's probably neutral-to-good right now, as it frees up jobs for other people, or gets rid of people drawing government welfare :p
  
  --
  which is totally what she said
36. Re:Priorities by Anonymous Coward · 2012-02-02 23:58 · Score: 0
  
  The worst problem is finding a real online pharmacy which actually delivers, doesn't rip you off and which you can trust.
  All of the crap created by these botnets causes so much static it's hard to find the real deal. I found magicpharma ... but had to filter out a lot to sort out that it was real.
  The spammers need to die - nuclear strike from space, or just kick them off the planet.
37. Re:Priorities by repapetilto · 2012-02-03 04:41 · Score: 1
  
  I usually do, but for some reason I failed on this one.
38. Re:Priorities by somersault · 2012-02-03 05:26 · Score: 1
  
  People buying something after trying it for free has nothing to do with the broken window fallacy.
  Well, the "broken window parable" - or "window maker fallacy" as some people call it - was created to investigate opportunity costs in a situation that might at first seem only negative. There is no one lesson to draw from that imagined situation, and there is obviously a lot of room for debate as to how the situation affects an economy, as economics are necessarily complex.
  I don't see how it's very different to the ongoing debate going on about how copyright and piracy affect the economy. Outcomes are not necessarily 100% "good" or 100% "bad", they're mixed. People have pointed out how piracy actually can result in more sales than if there had been no piracy, that kind of thing. Just as with the broken window fallacy, there are lots of factors to consider, some which we may not have even thought of yet.
  
  --
  which is totally what she said
PSAs? emails are for scammers by Anonymous Coward · 2012-02-02 01:31 · Score: 1

It affects pretty much every company and individual with any sort of online presence.

It's too bad that banks, credit companies, and others who are hurt by spam and botnets don't have public service annoucements on TV and in AARP that say something like "Consider all email to be scams!"
It' is interesting that my financial institutions no longer send links when there's some sort of update or annoucement. Their emails just say "log into your account and see ..."
It seems to be old people (70yrs+) that really get snookered - at least that age group seems to be the largest segment of victims. It's like they see it in "writing" and therefore is must be true.
OTOH, there are old people like my Dad who is constatnly forwarding me things and asking if it's true; which I rerspond with (after checking to be sure and to get links to back up what I say) "If it's in an email, it's a scam."
Spam not really a problem by Anonymous Coward · 2012-02-02 01:36 · Score: 0, Flamebait

Email is dead. Everyone uses facebook to communicate now.
1. Re:Spam not really a problem by Anonymous Coward · 2012-02-02 02:14 · Score: 0
  
  Have you ever been to the real corporate world?
2. Re:Spam not really a problem by Anonymous Coward · 2012-02-02 02:48 · Score: 0
  
  This is most certainly satire.
3. Re:Spam not really a problem by Anonymous Coward · 2012-02-02 03:31 · Score: 1
  
  in Korea, only old people use email
4. Re:Spam not really a problem by PPH · 2012-02-02 04:04 · Score: 1
  
  Is that you, Zuckerberg? You're getting your IPO. Stop shilling for your company already.
  
  --
  Have gnu, will travel.
Wikileaks? by Anonymous Coward · 2012-02-02 02:14 · Score: 0

Sorry - what does this have to do with WIkileaks?
80k sales and $6m in revenue by Cid+Highwind · 2012-02-02 02:38 · Score: 5, Insightful

Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.
...and that's why we will never be rid of spam: because at least 80,000 people are dumb enough to buy boner pills over the internet from someone who spammed their inbox with poorly-spelled sales pitches.

--
0 1 - just my two bits
1. Re:80k sales and $6m in revenue by Anonymous Coward · 2012-02-02 04:29 · Score: 2, Interesting
  
  The trouble is and always has been that money is really hard to follow. How do you think the federal government manages to lose TRILLIONS of it?
2. Re:80k sales and $6m in revenue by Tom · 2012-02-02 09:01 · Score: 1
  
  True.
  You have convinced me to change my position on spam.
  From "shoot the spammers" to "shoot the idiots who buy from them".
  The only issue is that we must shoot idiots faster than they breed, and that is going to be challenging.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
Maybe they are Syrians? by AverageWindowsUser · 2012-02-02 03:32 · Score: 2

"Syrian" hackers on a U.N. Peacekeeping Mission:
http://www.themoscowtimes.com/news/article/syria-cyber-war-opens-new-front-in-russia/452200.html
Syria Cyber War Opens New Front In Russia
02 February 2012
By Jonathan Earle
The cyber front of Syria's year-old civil war spread to Russia this week as pro- and anti-government bots splashed criticism and expressions of gratitude across the Russian Internet, and Syrian hackers attempted to commandeer the website of a Russian embassy.
The attacks are a response to Russia's ongoing resistance to proposed UN sanctions against Damascus and willingness to sell weapons to the Syrian government, which has been accused of killing thousands of civilians to stem a popular uprising that began in March.
On Sunday, the Syrian National Council, the main opposition coalition, called on Syrian expatriates to stage protests at Russian embassies and consulates and "exert pressure" on Russia.
Syrian electronic activists appear to have heeded the call, as Dozhd television said its website started receiving three to four comments per hour beginning Monday night.
Thousands of Syria-related comments have since appeared on Russian news websites and Facebook pages. Most comments are sharply critical of Russia's defense of President Bashar Assad. "Russia sold its humanity when it sold weapons to a criminal regime" user Abu Mujahid al-Hamwi wrote on President Dmitry Medvedev's Facebook page Tuesday morning.
A small percentage of the comments — which appeared in Arabic, Russian and English — expressed gratitude to Medvedev and Prime Minister Vladimir Putin, such as one from user Hamoud Youssef: "A heartfelt thank you to Russia. Thank you for the veto."
The comments were ostensibly posted by users with Syrian-sounding names, but the high number of identical entries suggests that the effort is largely automated. Several comments appeared dozens of times from multiple users on Facebook pages belonging to Slon.ru, Afisha, and Lenta.ru.
Meanwhile, a senior official at the Russian Embassy in New Delhi said Syrian hackers tried and failed to commandeer the embassy's website, Vesti.ru reported Monday. The official denied earlier reports that hackers had posted photographs of children allegedly killed by Syrian security forces.
For months, Russia and its allies have resisted growing pressure from Western governments and much of the Arab world to take a harder line against the Syrian government, which opponents say is using tanks and heavy weapons to slaughter opponents. The UN estimates that more than 5,000 have died in the crackdown.
The Syrian government says it is battling terrorist groups, and Russia has called on both sides to reject violence and come to the negotiating table. In October, Russia and China blocked a UN Security Council resolution calling for sanctions against Syria within 30 days if the government did not stop attacks on protesters.
In December, Russia agreed to sell 36 Yak-130 trainer-fighter airplanes to the Syrian government in a $550 million contract, Kommersant reported this week. Last month, a Russian-owned ship laden with munitions arrived in Syria after being temporarily detained in Cyprus.
Analysts have speculated that Russia is eager to hold on to a longtime ally and prevent a repeat of NATO's intervention in Libya. Also at play are billions of dollars worth of arms contracts and a naval base in the Mediterranean city of Tartus, Russia's only military base outside the former Soviet Union.
How about stopping the product? by Marrow · 2012-02-02 03:41 · Score: 3, Insightful

If actual products are being shipped (as opposed to pure fraud), then it should be possible to trace the physical deliveries back to their source. Pharmacy products are not e-product. They are physical. So if these products are being marketed through illegal means, and are probably illegal products themselves, then why not follow them back to their source.
At the very least, the govt could make a big noise and say that goods marketed through spam are being seized enroute and people will throw their money away if they purchase them.
1. Re:How about stopping the product? by madhatter256 · 2012-02-02 04:38 · Score: 1
  
  There was an article on slashdot not too long ago about websites that pay you to act as a small "shipping/receiving" drop point for these illegal online pharmacies...
  I try and search it, but slashdot search doesn't really bring it up...
  
  --
  Previewing comments are for sissies!
Hosting providers often don't care: follow the $$$ by John+Bokma · 2012-02-02 05:29 · Score: 1

flux hosting? Heh, they just pick one of the many hosting companies that do nothing about spam reports received via SpamCop.net or emailed directly.
Case in point? I received spam last Friday, which has redirects to: 199.10 2.228.2 19/~ lig htfoo/tracking/rd/t-a-x/main/jonxqo The IP address is with ServInt. Despite contacting them via their abuse@ address, the live chat feature on their website, and their Facebook page (from which they have blocked me by now) the site is still up. And ServInt is just one example. Reporting spam via SpamCop to ovh.net seems to be a pointless exercise. After complaining at their site I was handed an additional email address: legal@. And presto, suddenly spam I report is taken action upon if I email manually both abuse@ and legal@. No idea how long this miracle stays up, though.
What I really don't get is why don't hosting providers/ISP check sites that report IP addresses that send spam or are abusive on a daily basis. My impression is that your head in the sand just makes more money...
And that's the problem. Some big USA/European hosting companies that don't do a thing about this. As always, follow the money.

--

Perl Programmer for hire
Doubtful passport authenticity by vovick · 2012-02-02 05:43 · Score: 2

One of the two hackers' names the author "uncovers" is Vasily Ivanovich Petrov which is basically one of many possible variations of John Doe in Russian. While there is a possibility for someone to be named this way (in fact, Wikipedia has an article on one http://en.wikipedia.org/wiki/Vasily_Ivanovich_Petrov), it seems highly doubtful that is the person's real name.
wikileaks? by equex · 2012-02-02 06:11 · Score: 2

what does this have to do with Wikileaks?

--
Can I light a sig ?
Re:Hosting providers often don't care: follow the by EvilIdler · 2012-02-02 09:43 · Score: 1

I just started digging into finding Servint's upstream provider today because of all the fuckers abusing their servers (1-3 spam mails a day from as many scam companies with changing names). In my findings I also ran across 11 years old threads about their completely disgusting business practices. When reporting spam to them back then they threatened the spam reporters with reporting THEM as spammers! See the Spamcop mailing list 2000-2001 for more miserable reading.
From what I've found about Servint it looks like Network Solutions would be one possible provider - no domain name would make continuing their business a little tricky. Not sure who provides the actual network, though. I'm sure a whole article's worth of dirt could be found on those bastards.