August 6, 2012

In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.

In this screenshot from Spamdot.biz, Ronnie chats with “Tarelka” the Spamdot nickname used by the Rustock botmaster. The two are discussing an M86 report on the world’s top botnets.

Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at reactormailer.com. That domain was registered to a mserver@mail.ru, an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.

When reactormailer.com was shuttered, Srizbi customers were instructed to log in at a new domain, reactor2.com. Historic WHOIS records show reactor2.com was registered by someone using the email address ronnich@gmail.com. As I wrote in January, leaked SpamIt affiliate records show that the ronnich@gmail.com address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.

The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.

But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.

Several key clues support a strong connection between the SpamIt affiliate Ronnie and Xarvester. For four months in 2010, researchers from the University of California, San Diego observed the top spam botnets, running samples of them in a controlled lab environment and recording which pharmacy affiliate programs were being promoted by the spam being sent through them. That research was published in an unparalleled research paper called Click Trajectories (PDF).

I asked the UCSD researchers to look back at their bot data from that period and tell me if they saw any clues about who or what spammers or spam affiliate programs may have been profiting from junk email sent by the Xarvester botnet. The researchers found several examples of spam coming from Xarvester that promoted pill sites tied to SpamIt; each of those sites that they saw promoted via Xarvester included an affiliate ID that was assigned to SpamIt affiliate Ronnie.

Unlike his mentor SPM, Ronnie appears to have been quite careful in protecting his identity. Ronnie had at least three separate affiliate accounts at SpamIt registered to his email address, and each of those accounts was paid commissions via separate accounts at WebMoney, a virtual currency that is quite popular in Russia and Eastern Europe. Frustratingly, all of the identity information tied to those WebMoney accounts is clearly fake (or at least registered to the English equivalent of “John Smith”).

But Ronnie did leave behind two clues that may offer more information about who he is. He was very active on Spamdot.biz, an exclusive underground forum owned and operated by the guys who ran the SpamIt pharmacy affiliate program. KrebsOnSecurity long ago obtained a copy of this forum, and that data shows that Ronnie’s signature always included an ad for his personal Web site — rtools.biz — an active site that sells software for maintaining large email lists. The HTML source for rtoolz.biz shows that it was registered with Google using a Google Analytics code UA-25462922-1. Unfortunately, that UA code does not appear on any other sites that I could find.

There was one other clue I thought was interesting enough to mention. Ronnie used several email addresses, but the one he used for the longest period of time was xamp@mail.ru. Turns out, this email address was used in 2008 to register the domain sulab.ru, which is an electronics and integrated software company based in Gatchina, Russia, a town situated about 28 miles south of St. Petersburg. The site was active until a few weeks ago, when I emailed the owner. Anyway, sulab.ru stands for “S. Yu Lab Ltd.” The phone number listed as a contact on sulab.ru was 8 (812)-951-20-91. According to several directories, the owner of that company is a person by the name Semyon Yurievitch Rzhevsky (Семен Юрьевич Ржевский), from Gatchina, Russia.


22 thoughts on “Harvesting Data on the Xarvester Botmaster

  1. Alvin Moof, Sydney

    What do you do? Why do you public a private information without any evidences?
    Brian, you are crazy. Sorry

    1. oleg

      without any evidences? seems like he presented the evidence pretty clearly. but what private information are you claiming he outed?

      1. Alvin Moof, Sydney

        It can be false information of innocent people(enemy,competitors) especially made for researches.

  2. Nobody

    Whoever fights monsters…
    People are innocent until proven guilty, great job exposing random names for mob law!

  3. Ole Bin Login

    moof,
    researches does not sound aussie to me are you sure your in sydney?

    ole.

  4. whocares

    Brian,

    I agree with first poster.
    dropping full names from shallow evidence is so wrong.

    Maybe those sites/email accounts were registered with forged info.
    Are you certain they were not ?

    I like your work a lot but this looks irresponsible.

  5. Vacielli

    It sounds to me like Brian did his homework on this one, I say more power to you Mr.Krebs, Never once did Brian accuse this man of anything, he simply pointed out some interesting facts, and led you to decide for yourself.

    I like your website, keep on keeping on.

  6. Vacielli

    Also forgot to mention, Make sure your snipping out the login name you use for these websites, you didn’t show it here but in 2 of your previous blog posts I was able to see your login name for a certain underground website.

    Regards

  7. Sam

    From the comments above I would say you are spot on. Commence DDOS in 5…4… 🙂

    1. na

      One of the days Brian is going to accuse the ‘wrong’ (rather probably right) person and will learn his lesson. Until then I doubt any comments are going to dissuade him from speculating on bot-masters…

      I might add that SpamIt & SpamDot have been long gone, these latest articles on the subject are akin to beating a horse that died a few years ago and has since decayed into dust. They have been replaced with new CyberCrime venues.

      Anyone who was in the business knows ‘Spam’ is a dying field. I’m surprised Brian doesn’t report on the newer threats. For example ‘Lockers’ are all the rage, even more than Zeusish threats used for Banking theft.

      1. Brian Krebs

        Hey Na, SpamIt sure is gone, but what makes you so confident Spamdot went away? It’s clear you don’t really know what you’re talking about because it hasn’t. They just changed the name and the domain.

        The same guys are all still there, selling each other installs and bots and FTP services and lists and all the tools of the trade. Including most of the botmasters I’ve written about in this series.

        I happen to agree that the spam business is dying (you sound like you’re speaking from experience). But does that mean we should just give a free pass to the people who inflicted this crud on the rest of the world year after year?

        1. na

          Brain, thanks for the reply. I swear I did say ‘Replaced’, I assumed you would get the double meaning (replaced literally with a new domain, replaced Criminal wise with new Venues.) Yes I would consider myself mildly experienced in the area. I might add I am curious as to why you are choosing certain targets for example this bot-master verse others since it isn’t like the whole DB of the old forum was leaked. Any comments on that subject?

          1. BrianKrebs Post author

            “I might add I am curious as to why you are choosing certain targets for example this bot-master verse others since it isn’t like the whole DB of the old forum was leaked.”

            Sure it was. I have the entire SpamIt customer and affiliate database, and the entire SpamDot forum. As for what I have on more recent forums and programs, I’ll leave that to your imagination.

            1. na

              Oh come now Brain, that was a sarcastic “its not like the whole forum db was leaked”. I’m well aware it is, btw you got a new account on dk yet?

              1. na

                Hence my question since you have the whole DB, what has driven you to choose these specific targets verse the rest!

                1. BrianKrebs Post author

                  I’ve been focusing on individuals who either ran and developed large spam botnets or had a hand in operating parts of them. So far, I’ve done that with most of the present and past major spam bots, including Cutwail, Grum, Rustock, Srizbi, Festi, Bredolab, Mega-D ZeuS, and Waledac.

                  http://krebsonsecurity.com/category/pharma-wars/

      2. Neej

        >>For example ‘Lockers’ are all the rage, even more than Zeusish threats used for Banking theft.

        If you’re referring to content lockers you are an idiot.

        The user is clearly informed that they must complete an action to access content. The action may or may not involve giving personal information that could be used for criminal activity (for example mobile phone numbers, name, email and address). As it happens many large and established brands (Unilever, GSK for example) gather information using this method but of course I cannot speak for all content locker … vendors(? – can’t think of the right word)

        Compare that to Zeus: software is installed without users knowledge which is then used to steal money from them.

        1. na

          neej, I would remind you that these are open comments and you have no idea who you could be speaking to. A grain of salt might be wise before you go off on someone especially if you are mistaken. ‘Lockers’ as I mentioned has NOTHING to do with mobile phones or anything you mentioned in the reply. This leads me to believe you are not only belligerent but also do not know what you are talking about.

          Many examples of ‘Lockers’ can be found on botcrawl (dot) com on the /Malware/ Blog

          ‘Lockers’ are a term that refers generically to some sort of ransomeware that ‘locks’ a users pc requiring a payment through a money processing system before the computer can be used again.

          In the past mostly EU countries have been targeted with these attacks via Ukask or Paysafe. However, in the last month or so there has been a significant uptake in the attacks on US citizens — in this case MoneyPak is the favored payment system.

          Normally lockers tend to purposely AVOID infecting PCs in the USA, however this is no longer the case…

  8. Kathy

    Can anyone tell me about this spam attack?,adapter=A

  9. bob

    ‘ registered to the English equivalent of “John Smith” ‘

    ‘ Russian equivalent ‘, surely?

Comments are closed.