Researcher: Ukrainian botnet sent Ron Paul spam

Sponsor probably had prior deals with spammer, says SecureWorks' Stewart

The spam blamed on Republican presidential candidate Ron Paul more than a month ago originated with a Ukrainian spam operation, a security researcher said today.

According to Joe Stewart, a senior security researcher with SecureWorks Inc., the Ron Paul-related spam that flooded inboxes in late October can be traced to a botnet of approximately 3,000 compromised computers, all infected by a Trojan horse called Srizbi that in turn installed a spam-spewing bot -- dubbed "Reactor Mailer" -- onto each hijacked machine. It was Reactor Mailer that sent the spam touting Paul and his positions.

Starting Oct. 27 and ending Oct. 30, the spam promoted the Texas congressman after a televised weekend debate, and featured subject headings such as "Ron Paul Wins GOP Debate!" and "Ron Paul Exposes Federal Reserve!" Researchers at the University of Alabama at Birmingham, who analyzed samples of the spam at the time, said that they had no reason to believe that the Paul campaign was behind the junk e-mail. A spokesman for Paul quickly denied any knowledge of the scam.

Gary Warner, the director of research in computer forensics at UAB, was quoted in news reports saying that he believed the spam came from a botnet. That fueled speculation by some bloggers that a rogue supporter for the former obstetrician may have built a botnet specifically to crank out the spam. The idea seemed credible at least in part because Paul enjoys strong support among technology-astute voters and has raised millions using the Internet.

Stewart dismissed the idea that the botnet was created solely to send Paul- or even politically-oriented spam. "E-mails emanating from the botnet pitched all the usual spam products, from pharmaceuticals to fake watches," said Stewart.

The Reactor Mailer spambot also gave Stewart the connection between the spam and a Ukrainian who goes by the pseudonym "spm." The bot, said Stewart, is spm's creation. "He claims to hire some of the best coders in the CIS [Commonwealth of Independent States, the name for the loose confederation of former republics in the now-defunct Soviet Union]." By looking at the source code of Reactor Mailer, Stewart identified one of the bot's principal programmers as a Ukrainian who goes by "vlaman."

Another link to Eastern Europe was the botnet's command-and-control server, which was operated by a co-location facility located in the U.S. that has been known to host other CIS-originating malware.

The identity of the Ron Paul spam sender, however, wasn't as clear. Known only as "nenastnyj," the spammer had an account on the Reactor Mailer command-and-control server -- spm apparently operates a Web-based, software-as-a-service business -- and spammed a list of more than 162 million addresses. Stewart couldn't determine the exact number of spammed inboxes -- in a typical address list, many would be outdated or invalid -- but he put the figure at "certainly millions of recipients."

Stewart had no idea who might have hired nenastnyj to spam that list, although he had some clues.

The first was that the Paul spam run was what Stewart called a "one-off," a one-time campaign. "That's pretty unusual for a spammer like this one," said Stewart, who added that nenastnyj was a subcontractor to bigger-league spam kingpins. Another hint: The political spam stood in contrast to the usual litany of fake watches, work-from-home scams and penis-enlargement drugs touted by this spammer's other campaigns.

"What really seemed funny to me was that this was a one-off," said Stewart. "That made me think that there had to be a prior relationship between the person who hired nenastnyj and the spammer [nenastnyj]. Because why would you hire a Ukrainian to do something like this?"

From all signs, nenastnyj doesn't advertise his (or her) services anywhere on the Web, Stewart noted. "If you wanted to send spam, but didn't know anyone, you'd probably use Google and search for 'bulk email' and then pick the first one that shows up," he speculated. That's not what happened here. Instead, the spam's sponsor picked an unknown, yet effective spammer who had access to a botnet able to mail up to 200 million messages a day.

Nor is nenastnyj's business devoted to one-off projects like the Paul spam blitz. "If he was, we'd see lot of odd jobs in the [Reactor Mailer] task list," Stewart said, referring to the spam job list that he observed.

"This is all very unusual," Stewart concluded.

Paul's campaign was not available for comment.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon