The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.
Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.
Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”
This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).
That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.
SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.
Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.
The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.
ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.
SPM: Let’s decide.
Stupin: We can think of something.
SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.
SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.
Stupin: We can think of something like this – we are placing your logo with ours, in return you add our logo to your software, like you are recommending us.
SPM: Not a problem. I am leaving to draw the logo.
SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.
Stupin: Wait, it cannot be decided that fast, I need to discuss it with my partner and simply think all of this over.
SPM: Fine. Let me know when you discuss it.
SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words
Stupin: Google is saying the same thing
SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience
SPM: Google offered me a bribe for my going out of business That’s his method )
Stupin: Honestly, it’s more pleasurable to deal with you than with him.
SPM: I was surprised that someone is competing with me on spam soft market. On the other hand, competition is always a good thing. So I am not against it.
The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.
WHO IS SPM?
Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address firstname.lastname@example.org, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: email@example.com.
When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to firstname.lastname@example.org. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address email@example.com, and a programmer who used two accounts under separate nicknames, “Vladie” (firstname.lastname@example.org) and “SigmaZ” (email@example.com).
These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.
Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.
Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”
So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” – had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”
The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the firstname.lastname@example.org address.
Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to email@example.com.
I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: firstname.lastname@example.org.
I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.
If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:
ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)
REACH OUT AND SPAM SOMEONE
It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.
There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.
The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:
ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?
Stupin: Nothing new. Everything repeats itself.
SPM: That’s the law of life. How’s business?
SPM: Am I interrupting something? I can knock later if I am.
Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.
SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.
SPM: Maybe not.
Stupin: I am very happy for you.
SPM: In other words, you are not interested in using SMS for SpamIt spam?
Stupin: Well, I have not really heard an offer from you.
SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.
Stupin: Well, go get our URLs and try.
SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.
Stupin: They are adapted automatically, using User-Agent.
SPM: Give me any link, and I will check on the phone.
SPM: Do you have stats of connections to shops from smartphones?
Stupin: Yes, a small percent from overall traffic.
SPM: What kind of phones? Do you have this information?
Stupin: No surprises…iPhones, and Blackberry
SPM: How about Nokias?
Stupin: Very few.
SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….
Stupin: Databases are not targeted also, as far as I understand.
SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.
Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.
SPM: I thought about it. Is my account still alive? I forgot my password.
Stupin: Tell us login and which new password you want us to set.
SPM: Does your pharmacy serve Russia?
SPM: Pity. Our providers are very easy to harvest. All three of them.
Stupin: Password is done.
Stupin: Tell us if everything is okay.
SPM: Everything is okay. My GOD, there is even some money there Will you send to my WM?
Stupin: Yes. Let support know, if you need domains, we can leave one theme for smartphones, similar to what we have here: http://www.medshop.mobi
Tags: Cosma, Cutwail, Dmitry "Saintd" Stupin, Elphisoft, gameprom.com, google, ICQ 360000, Igor Gusev, Joe Stewart, LinkedIn.com, mccolo, email@example.com, nenastnyj, firstname.lastname@example.org, Pharma Wars, Philipp Pogosov, Reactor Mailer, reactor2.com, reactormailer.com, Ron Paul, Rustock, secureworks, SigmaZ, Spamit, SPM, Vladie, email@example.com, firstname.lastname@example.org, Xakep.ru