January 5, 2012

The previous post in this series introduced the world to “Google,” an alias chosen by the hacker in charge of the Cutwail spam botnet. Google rented his crime machine to members of SpamIt, an organization that paid spammers to promote rogue Internet pharmacy sites. This made Google a top dog, but also a primary target of rival botmasters selling software to SpamIt, particularly the hacker known as “SPM,” the brains behind the infamous Srizbi botnet.

Today’s Pharma Wars entry highlights that turf battle, and features newly discovered clues about the possible identity of the Srizbi botmaster, including his whereabouts and current occupation.

Reactor Mailer Terms of Service, 2005

Srizbi burst onto the malware scene in early 2007, infecting hundreds of thousands of Microsoft Windows computers via exploit kits stitched into hacked and malicious Web sites. SpamIt members could rent access to the collection of hacked machines via a piece of spamware that had been around since 2004, known as “Reactor Mailer.”

This page from archive.org (pictured at right) is a Feb. 2005 snapshot of the terms of service for the Reactor Mailer service, explaining how it worked and its pricing structure. The document is signed by  “SPM,” who claims to be the CEO of a company called Elphisoft. He asks customers and would-be clients to contact him via ICQ instant message ID 360000 (the importance of this number will be apparent later in the story).

That same ICQ number features prominently in dozens of chat logs that apparently belonged to SpamIt co-administrator Dmitry “Saintd” Stupin. The logs were leaked online last year after Russian investigators questioned Stupin as part of an investigation into Igor Gusev, the alleged other co-founder of SpamIt. Facing criminal charges for his alleged part in SpamIt, Gusev chose to shutter the program October 2010, but not before its affiliate database was stolen and also leaked online.

BOTMASTER BATTLE

SPM is introduced to SpamIt in May 2007, when he joins the program with the hopes of becoming the default spam software provider for the pharmacy affiliate program. The chats translated and recorded at this link show SPM’s early communications with SpamIt, in which he brings on board several other affiliates who will help develop and maintain his Reactor/Srizbi botnet.

Very soon after joining SpamIt, SPM identifies Google — the Cutwail botmaster — as his main competitor, and sets off to undermine Google and to become the default spam software provider to SpamIt.

The following is from a chat between SPM and Stupin, recorded Oct. 9, 2007, in which SPM argues that he should be the primary spam software seller for SpamIt, and that his software’s logo should be embedded in the SpamIt banner at the organization’s closely-guarded online user forum.

ICQ 360000 (alias “SPM”): I want my logo to be next to yours on the forum.

Stupin: Understood.

SPM: Let’s decide.

Stupin: We can think of something.

SPM: Let’s do it. Fakir suggests that I start recommending your partnerka to my clients. I am not against that.

SPM: But I want to have the status of official software for spamdot. It will come to it, since majority of moderators on the forum are with me already.

Stupin: We can think of something like this  – we are placing your logo with ours,  in return you add our logo to your software, like you are recommending us.

SPM: Not a problem. I am leaving to draw the logo.

SPM: Give me a piece of the header, and I will draw right on it. I mean the header for the forum.

Stupin: Wait,  it cannot be decided that fast,  I need to discuss it with my partner and simply think all of this over.

SPM: Fine. Let me know when you discuss it.

Stupin: Certainly.

SPM: Thanks in advance. And when you are discussing this matter with your partner, let him know, that SPM’s plan is to become the ONLY system on the market, and I stay by my words 🙂

Stupin: Google is saying the same thing 🙂

SPM: Google is no match, believe me. I’ve already destroyed one competitive system on the market. So I have the experience 🙂

SPM: Google offered me a bribe for my going out of business 🙂 That’s his method :))

Stupin: Honestly, it’s more pleasurable to deal with you than with him.

SPM: I was surprised that someone is competing with me on spam soft market.  On the other hand, competition is always a good thing. So I am not against it. 🙂

The exchange above is part of a much longer conversation thread that is translated and reproduced in its entirety at this link. It recounts how SpamIt administrators debated and ultimately acquiesced to SPM’s demands, and how they later distanced themselves from Srizbi when security researchers turned up the heat on the criminal operation.

WHO IS SPM?

Clues about the identity and location of SPM are all over the SpamIt database and the chats. When SPM first registered with SpamIt in early 2007, he provided the email address mserver@mail.ru, and of course the ICQ address 360000. Early forum posts show that SPM rented his Reactor/Srizbi botnet to spammers who would log in to their accounts at reactormailer.com. The original Web site registration records for that domain list the same email address SPM provided to SpamIt: mserver@mail.ru.

When reactormailer.com was shuttered, SPM moved operations to www.reactor2.com, a domain originally registered to ronnich@gmail.com. SpamIt affiliate records show that a spammer who registered in 2007 with that same email address was a referral of SPM’s. Records also show that SPM referred at least two other affiliates, a “nenastnyj” who used the email address nenastnyj@gmail.com, and a programmer who used two accounts under separate nicknames, “Vladie” (volodyja@gmail.com) and “SigmaZ” (vlaman@gmail.com).

These names show up in an insightful analysis of Srizbi published in 2007 by Joe Stewart, senior security researcher at Atlanta-based SecureWorks. That report was prompted in part by a strange blast of spam sent via Srizbi that promoted the presidential candidacy of Texas Congressman Ron Paul.

Stewart wrote:

Reactor Mailer is the brainchild of a spammer who goes by the pseudonym “spm” He calls his company “Elphisoft,” and has even been interviewed about his operation by the Russian hacker website xakep.ru. He claims to hire some of the best coders in the CIS (Commonwealth of Independent States, the post-Soviet confederation) to write the software. This claim is probably true; by examining details in the source code, we were able to identify at least one of the principal coders of Reactor 3/Srizbi, a Ukrainian who goes by the nickname “vlaman.” Various postings by vlaman indicate he is proficient in C and assembler, and would certainly be capable of writing the Srizbi trojan.

Reactor Mailer operates with a software-as-a-service model. Spammers are given accounts on a Reactor server, and use a web-based interface to manage their spam tasks. In the case of the Ron Paul spam, there was only one account on the server in addition to spm, which was named “nenastnyj.”

So Stewart’s conclusions about SPM’s business associates seem to have been spot-on. But what about SPM? Some of the more promising leads come from the spam king himself. As Stewart noted, SPM gave an interview in Jan. 2007 with the storied Russian hacker magazine Xakep.ru, in which he discusses how his Reactor Mailer botnet — “wholly owned” by him but built with the help of “some of the best coders from the former Soviet Union” —  had recently seized a quarter of the market for spam services. Early in the profile, SPM says he is the “owner of a company producing game software.”

The game company lead is the most tantalizing. Here’s why: Googling around for SPM’s ICQ — 360000 — I discovered that SPM has indeed been developing freeware games for many years. At freeware.ru, there are a number of games posted by a guy named Philipp Pogosov, who uses that same ICQ and the mserver@mail.ru address.

Things started really heating up when I located this thread from 2005 on the user forum of UCA Networks, an Internet service provider serving the Southwestern and Southern districts of Moscow. In it, a user named “spm” says he is selling his 2001 BMW 530ia. SPM tells interested buyers to contact him at ICQ 360000, and that pictures of the car are available at http://www.reactor2.com/bossmobile. Later in the thread, SPM tells a fellow forum member to send his resume to game@gameprom.com.

I had a look at Gameprom, which seems to be doing very well developing and selling video games for mobile devices. Russian incorporation records show that Gameprom was founded in 2004 and is owned by Philipp Pogosov. This is also the name on the domain registration records of gameprom.com. What is the email address used to register gameprom.com? You guessed it: mserver@mail.ru.

I made several unsuccessful attempts to contact Mr. Pogosov. Gameprom did not respond to requests for comment. Having no luck with email, I turned to social networking sites. LinkedIn.com includes 19 users who list their current or former employer as Gameprom, including a “Philipp P.” who is listed as the company’s owner. My attempts at convincing two of my mutual LinkedIn.com connections to introduce me to Pogosov failed, but I did learn one interesting thing from his LinkedIn profile: He is apparently based in Thailand.

If Pogosov really is SPM, then it seems he has resided in Thailand for several years. Earlier in my Pharma Wars series, I detailed the activities of Cosma — the top SpamIt affiliate who appears to have been responsible for a botnet that competed directly with SPM’s – Rustock.. In a chat between Cosma and Stupin on Oct. 1, 2008, Cosma jokes that he may soon be making enough money spamming that he can ditch his day job and go join SPM in Thailand. Here’s a snippet from that chat:

ICQ 761474 (alias=Cosma): When we reach $6-7k a day, I will leave you alone….I will go to SPM in Thailand and will drink cognac with him all day long =)

REACH OUT AND SPAM SOMEONE

It’s not clear why SPM left SpamIt, but it may have been because his botnet got clobbered in a double-whammy. First, the takedown of cybercriminal hosting hub McColo kneecapped Srizbi for a few weeks because all of its control servers were hosted there. Srizbi briefly recovered in Feb. 2009, only to be hammered again by Microsoft, which pushed out an update to its malicious software removal tool that uninstalled Srizbi from Windows PCs.

There is a year-long gap in the chat records between Stupin and SPM during 2009. When SPM does turn up again early 2010, it’s to pitch an ambitious scheme to spam mobile phones with text message ads for SpamIt’s rogue pharmacies.

The following chat was recorded on Jan. 24, 2010, roughly 9 months before SpamIt’s demise:

ICQ: 635635 alias “Namaste”: Hi. This is SPM. What’s new in the community?

Stupin: Nothing new. Everything repeats itself. 🙂

SPM: That’s the law of life.  🙂 How’s business?

SPM: Am I interrupting something?  I can knock later if I am.

Stupin: No, you are not interrupting. Business is going fine. It’s going and growing.

SPM: There are a couple of ideas to discuss. Idea 1) In short – I can do SMS spam. It is serious, many and fast. I believe the friends of ours told you about that already.

SPM: Maybe not.

Stupin: I am very happy for you. 🙂

SPM: In other words, you are not interested in using SMS for SpamIt spam?

Stupin: Well, I have not really heard an offer from you. 🙂

SPM: Well, we can produce an offering together. I do not have a finished offer yet. Simply, there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second. Any provider. Inbox delivery – 80%, but outcome cannot be predicted by anyone, since, as far as I know nobody has been doing SMS spam yet.

Stupin: Well, go get our URLs and try.

SPM: We’ll need a version of your shops adapted for smartphones. With limited graphics.

Stupin: They are adapted automatically, using User-Agent.

SPM: Give me any link, and I will check on the phone.

Stupin: http://canadian-medshop.com

SPM: Do you have stats of connections to shops from smartphones?

Stupin: Yes, a small percent from overall traffic.

SPM: What kind of phones? Do you have this information?

Stupin: No surprises…iPhones, and Blackberry

SPM: How about Nokias?

Stupin: Very few.

SPM: Inconvenience that URL should be entered manually, but on the other hand – Inbox 80%….

Stupin: Databases are not targeted also, as far as I understand.

SPM: Surely, but on the other hand, there is a possibility to spam the entire provider’s space.

Stupin: Ask some hackers to give you a phone listing generated from an on-line pharmacy.

SPM: I thought about it. Is my account still alive? I forgot my password.

Stupin: Tell us login and which new password you want us to set.

SPM: spam101

Stupin: Okay.

SPM: Does your pharmacy serve Russia?

Stupin: No.

SPM: Pity. 🙂 Our providers are very easy to harvest. All three of them.

Stupin: Password is done.

Stupin: Tell us if everything is okay.

SPM: Everything is okay. My GOD, there is even some money there 🙂 Will you send to my WM?

Stupin: Yes. Let support know, if you need domains,  we can leave one theme for smartphones,  similar to what we have here: http://www.medshop.mobi


26 thoughts on “Pharma Wars: Mr. Srizbi vs. Mr. Cutwail

  1. dave

    Great reading. Just a little note in regards to SPM selling his BMW: “this thread from 2005…. selling his 2011 BMW 530ia”. Is it a 2001 BMW? Since the forum post is from 2005 he can’t really be selling a car from 2011.

      1. MIchelle

        Thanks Brian for taking the tIme to share with us who learn from you all the tIme! I appreciate you tak ing the time to educate me I am very greatful!

    1. grumpy

      Well, his other car *could* be a DeLorean with extras… 🙂

  2. furoner

    First of all, congrats for all your hard work. I love reading your stories and research.

    On a side note, I just want to say that it’s kind of difficult to understand how these guys, who are obviously highly intelligent and talented (otherwise they wouldn’t be able to get such botnets up and running), can be so unaware of things like using the same detail contacts (e-mail, icq) and letting them be associated with their own real names.

    Either they never started thinking they would go into the underground at all, or they just relaxed when they were on top thinking they were untouchable.

    In any way, I find it a bit astonishing…

    1. Fil0s0v

      There are only so many e-mail addresses, ICQ numbers, IM accounts and so forth a person can have before the situation becomes unmanageable. One day, somewhere, somehow a person will make mistake using wrong ICQ or wrong e-mail and the secrecy will be broken. Then, it’s just a matter of time before the unforgiving search and cache engines will capture that trace forever.

    2. bob

      If you hang out on any non-serious forum, sooner or later, people start registering characters / sock puppets / fake accounts / insert-appropriate-terminology-here. If they use these regularly, then, sooner or later, they use the wrong account in the wrong place thus blowing their cover. The stakes might be higher for someone doing something illegal but it’s amazing how quickly paranoia fades with familiarity.

  3. stikerz

    Im guessing the reason for the eady to follow account papertrail is due to the fact initially people were lax in dealing with spammers, that and the longer you get away with something the more likely you are to beleive you are never going to get caught.

  4. BrianKrebs Post author

    The irony here is too much. The last link in the story, is to a mobile version of Canadian Pharmacy sites that IS STILL LIVE. Also, I’ve had to delete way more than the usual number of spammy comments on this post.

  5. Leo

    Hello Brian,
    why are you not writing anything about Vrublevsky? He was released from jail on December 23rd of 2011 without a bail?

  6. Drew

    Hmm… It beats me that the “video games for mobile devices” perfectly match with “there is a way to send SMS spam, that’s it. Any text. Speed is about 100 SMS per second.”

    Can anyone make an analysis of those games if there are some “hidden features” in them?

    1. Fil0s0v

      Totally agree with Drew on this one. I would think twice before installing software made by Pogosov’s company on my mobile devices.

  7. AlphaCentauri

    My impression from comments I’ve seen from various Russian pharma spammers is that they try to pretend they are operating within the law in Russia (because they don’t sell to Russian customers and because they pay off all the important people), and that they believe they are therefore legitimate businessmen. They are often quite open about what they’re doing. They seem to consider writing in Russian on public internet forums to be sufficient encryption. They never thought the rules would change. SPM may not even have thought there was much need to worry about associating his established ICQ number with Spamit or Srizbi at the time he started doing it, and now it’s too late.

    1. russian guy

      ‘they try to pretend they are operating within the law in Russia’ – in fact, the only thing in their activity which is against the russian law is the use of botnets. And it’s difficult to prove. So they do not even have to pay to someone. The only two investigations were against Vrublevsky and Gusev who started those ‘wars’ and have payed to jail each other.

      1. AlphaCentauri

        True, difficult to prove until someone confiscates your friend’s computer in customs and can read all his chat logs. But the point both of us are making is that the carelessness about their identities wasn’t the result of stupidity, but rather a result of the belief that it was perfectly safe to be so open.

        1. russian guy

          You mean Stupin’s logs? The story about customs is a fake. Those logs leaked from a Despmedia office desktop PC which was taken for an expertise by police.

          1. american guy

            No, it is not a truth.
            Stupin gave his noutbook (with encryption password) and phone to police himself.
            His own ass is much important that people who worked with him before. I think a lot of this people want to talk with this woodpecker:-).

          2. AlphaCentauri

            It doesn’t matter how they got it. Very few people store things on their personal computers in ways that would prevent the police from retrieving the data if they had the computer and unlimited time to work on it. Even fewer people can be sure that there is nothing incriminating about them on anyone else’s computer.

            1. russian guy

              I agree with you. My point is that here in Russia, if you do such things quietly, nobody cares. Vrublevsky and Gusev made huge efforts and payed a lot for criminal cases against each other. Without their wars no one would have known about them.

              1. AlphaCentauri

                I think it was only a matter of time. As Russia becomes increasingly capitalist, the people behind the scenes who are looking to make money in international business are going to lose patience with the petty thieves who have landed Russian IP ranges on block lists. Gusev et al are costing Russian companies a lot of money and harming the reputation of Russian businesses. Why should Russia be known for scam pharmacies but not for developing new pharmaceutical products? Why should it settle for selling counterfeit versions of Western products rather than promoting its own designer brands?

  8. Fil0s0v

    It’s going to be awhile until Russia start producing something worth to be sold on International markets. Russia has almost nothing now besides natural resources and smart people who want to make money. If they do not leave Russia to work legitimately, they find other ways, including Internet-based fraud. Sometimes I think it is going to be cheaper for the West to hire those people out before they do something and have to be placed in jails.

    1. AlphaCentauri

      I think it’s a question of will rather than capability. Russia has an incredible cultural history. And people in the West are intensely curious about it. So a Russian fashion designer could certainly draw on that history to create new designs that would be very successful.

      The scammers at GlavMed/GlavTorg claim to be doing their own contracting with manufacturers in China. They even brag to their affiliates about the quality of their counterfeit products: forum.glavmed.com/showthread.php?t=5977 .

      If even a fraction of their claims are true, they ought to be capable of mentoring Russian designers through the process of manufacturing original goods and marketing them honestly. They just need to stop aping the west and act like they’re proud to be Russian.

Comments are closed.