Researcher: Ukrainian botnet sent Ron Paul spam

Computerworld - The spam blamed on Republican presidential candidate Ron Paul more than a month ago originated with a Ukrainian spam operation, a security researcher said today.

According to Joe Stewart, a senior security researcher with SecureWorks Inc., the Ron Paul-related spam that flooded inboxes in late October can be traced to a botnet of approximately 3,000 compromised computers, all infected by a Trojan horse called Srizbi that in turn installed a spam-spewing bot -- dubbed "Reactor Mailer" -- onto each hijacked machine. It was Reactor Mailer that sent the spam touting Paul and his positions.

Starting Oct. 27 and ending Oct. 30, the spam promoted the Texas congressman after a televised weekend debate, and featured subject headings such as "Ron Paul Wins GOP Debate!" and "Ron Paul Exposes Federal Reserve!" Researchers at the University of Alabama at Birmingham, who analyzed samples of the spam at the time, said that they had no reason to believe that the Paul campaign was behind the junk e-mail. A spokesman for Paul quickly denied any knowledge of the scam.

Gary Warner, the director of research in computer forensics at UAB, was quoted in news reports saying that he believed the spam came from a botnet. That fueled speculation by some bloggers that a rogue supporter for the former obstetrician may have built a botnet specifically to crank out the spam. The idea seemed credible at least in part because Paul enjoys strong support among technology-astute voters and has raised millions using the Internet.

Stewart dismissed the idea that the botnet was created solely to send Paul- or even politically-oriented spam. "E-mails emanating from the botnet pitched all the usual spam products, from pharmaceuticals to fake watches," said Stewart.

The Reactor Mailer spambot also gave Stewart the connection between the spam and a Ukrainian who goes by the pseudonym "spm." The bot, said Stewart, is spm's creation. "He claims to hire some of the best coders in the CIS [Commonwealth of Independent States, the name for the loose confederation of former republics in the now-defunct Soviet Union]." By looking at the source code of Reactor Mailer, Stewart identified one of the bot's principal programmers as a Ukrainian who goes by "vlaman."

Another link to Eastern Europe was the botnet's command-and-control server, which was operated by a co-location facility located in the U.S. that has been known to host other CIS-originating malware.

The identity of the Ron Paul spam sender, however, wasn't as clear. Known only as "nenastnyj," the spammer had an account on the Reactor Mailer command-and-control server -- spm apparently operates a Web-based, software-as-a-service business -- and spammed a list of more than 162 million addresses. Stewart couldn't determine the exact number of spammed inboxes -- in a typical address list, many would be outdated or invalid -- but he put the figure at "certainly millions of recipients."