Comments on: Inside the Grum Botnet

By: oleg

oleg — Wed, 22 Aug 2012 16:19:30 +0000

hah! you know it’s close to home when the nit-picking starts. “download” versus “load?” seriously? and yes i’m sure your right that this spamer has such a deep grasp of greek mythology! why then was his password not megaera? do you know the guy? are you speaking from experience? tell us more plz.

By: HexView

HexView — Wed, 22 Aug 2012 15:51:59 +0000

Krebs, you are becoming a real publicity wh##re. You may want to validate/confirm your conclusions next time.

“Zagruzka Systems” here means “System Load”.

Megera has nothing to do with Gera, it most likeky refers to Megaera
http://en.wikipedia.org/wiki/Megaera

By: john

john — Tue, 21 Aug 2012 08:21:12 +0000

It probably just checks if a domain/ip has been blacklisted.
Maybe it replaces such blacklisted resources as backup ones as well.

By: Uzzi

Uzzi — Tue, 21 Aug 2012 01:14:26 +0000

.oO(Some servants do serve more than one master…)

By: spamislame

spamislame — Mon, 20 Aug 2012 21:44:27 +0000

I can. In some of the biggest prosecutions of career pill spammers, notably that of Chris “Rizler” Smith, the affiliates attracted repeat business from people who were clearly addicted to things like Oxycontin or other highly addictive painkillers. These were all people who had been cut off from any further prescriptions, or who had no insurance, who were desperate to gain access to more of these pills.

These scumbags have a habit of targeting these kinds of people, and further they also attract people who are un-insurable under the US system.

If US health insurance were to be less restrictive than it is now (pre-existing conditions, etc.), pill spammers would see a significant drop in business. Residents of the UK and Canada, which have socialized medicine, rarely have a need to purchase these kinds of pills (although yes, doctors will still restrict how many refills on a prescription will be available to a patient.)

SiL

By: Dan Herrmann

Dan Herrmann — Mon, 20 Aug 2012 20:55:00 +0000

Fantastic article!

(Can you believe 1.3 million suckers actually ordered from those “pharmacies”?)

By: Neej

Neej — Mon, 20 Aug 2012 17:08:04 +0000

“one in every six spams delivered worldwide, and capable of blasting 18 billion spam emails per day.”

“large email address lists — more than 350 GB”

“more than 2.3 billion addresses”

They/He wasn’t doing things by halves was he ROFL

I make my daily bread through internet marketing and it’s pretty much an open secret that many supposedly reputable affiliate partners, both networks and vendors themselves, will tolerate non-compliant email traffic. Often with the full knowledge and cooperation of the affilate manager.

I’m not talking only fly-by-night operators either but rather some of the largest names in the business. Traffic that converts is a win/win for both parties are making money so you know … it happens. It should be noted that AFAIK most partners will NOT be happy with email campaigns that have no opt-out (even if they will allow unsolicited email to generate leads) and expect suppression lists to be applied and adhered to.

Most marketers operating along these guidelines will hire several VPS servers in Eastern EU, Asia and the Middle East that will ignore complaints – at least for a time – and use corporate solutions such as Interspire Email Marketer for example.

They also use fairly well known tactics to minimise honeypots and people marking addresses as spam such as sending out a blast of innocent enough messages. “Hi, I’ll be in town we should meet – Bob” or the like.

Anyhow, the point of this rambling (sorry) post is it seems to be far more profitable to market legitimate products this way – dating sites leads that involve a free signup for example – than counterfeit pills and Rolexes if you look at the numbers of messages being sent. I mean these small time blackhatters are not sending hundreds of thousands of messages per day let alone *billions*(!) and yet a few grand a day isn’t uncommon.

Why do you think these criminals only spam pills mainly? They just can’t being themselves to sell anything legal?

By: BrianKrebs

BrianKrebs — Mon, 20 Aug 2012 17:07:47 +0000

I tried to avoid getting too clicky with the buttons. But now that you mention it, hey I wonder what this button here do

By: Nic

Nic — Mon, 20 Aug 2012 15:29:45 +0000

Wow… the kind of news you won’t find anywhere else!

I’m curious about the “Ban Control” feature which has SpamhousePBL (sic) and a few others listed. What happens when those links are clicked? I could guess, but guessing isn’t worth much.

By: BrianKrebs

BrianKrebs — Mon, 20 Aug 2012 14:13:53 +0000

Nice! Hey, that’s my site’s IP address at Prolexic! Cool.

Although, this would not be the first time, I guess.

From this piece:

http://krebsonsecurity.com/2012/07/top-spam-botnet-grum-unplugged/

Very soon after my investigative piece on Grum was published, KrebsOnSecurity.com was the target of a rather large distributed denial of service (DDoS) attack. I’ve recently learned that the attack was launched by the Grum botnet, suggesting that the findings were a little too close to home for the Grum botmaster(s).

Brett Stone-Gross, a senior security researcher for Atlanta-based Dell SecureWorks, analyzed a copy of the Grum malware from that time and found that it was instructing all infected systems to visit 94.228.133.163 (the IP address for krebsonsecurity.com). The nonexistent filename that the Grum bots were told to fetch from my site was “fuckingyou^^/9590899.php”.