On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?
There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.
It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals. Why should I believe this to be the case? Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:
From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
.. ….. ….. ……….. ….. ………. ….. ……. - http://advert1.ru
The only thing that I could understand out of this whole email was a link to advert1.ru. I have talked about it in my previous post as well.
“This link was http://advert1.ru, which took me to a Russian web site. This web site revealed to me how these spammers get customers to sell their botnet spam. This web site was probably owned by the Srizbi gang or some front end guys and was trying to sell spam services/hosting……”
I thought this domain name could be a starting point for my investigation. Who owns this domain? My curiosity set in. This domain is owned by ‘Alexander S Kopylov’. The complete report can be seen here: http://whois.domaintools.com/advert1.ru.
The most interesting information in this report was that ‘Alexander S Kopylov’ also owns 94 other domains. What are these domains? ‘domainstools.com’ was selling this information for $131. Had I been able to purchase the report, it would have given me some valuable information about Mr. Kopylov and his business… but I decided to try my Google searching skills to find something for free 
and I was successful. Here are some of the domains which I found to be owned by the same person:
http://1spam.ru
http://Abusehost.ru
http://Abuzhost.ru
http://aloincognito.ru
http://business-orders.ru
http://cammin.ru
http://compaq-hp-dv.ru
http://cpammagazin4.ru
http://Wmir.biz
http://Wreklama.ru
http://emailspam.ru
http://advert1.ru
One might look at the above screenshot and think "the whois record
is simply faked", but if you examine the original web pages, you'll
note that the phone number (located in Moscow) in the whois record and
the phone number in the "contact_us.htm" file are the same.
All of these web sites are in Russian and may be read and translated by Google translator. These sites appear very different in terms of their physical layouts, but their purposes all look the same… and all with the same great discounts!
1. SPAM email services
2. ICQ based SPAM
3. SPAM Hosting
4. Web designing
Let me show some of the screen shots of these sites. It was surprising to me that by the time I went to write this article, only days after I did the research, that I was unable to find even one of these domains resolving to an IP. I have been studying these web sites for the last week or so and all of them were fully alive during all that time. I cannot say for sure what might be the reason be for such a sudden shutdown.
The good thing is that I made a decision last week to save some of the pages offline from ‘advert1.ru’ and ‘emailspam.ru’. These pages are available for download below:
None of these domains are resolving at the moment, but readers can try to find some of the pages from Google Cache. Below is cached pages from http://Wreklama.ru. This web site is a little bit different in the sense that its emphasis is on ICQ based SPAM. Here are some of the screen shots:
The above information is good enough to show that these cyber-criminals are not a bunch of nerds sitting in some dark room developing these Botnets for fun. These are organized people running this in the form of a sophisticated business.
All of the above mentioned web sites were developed for a Russian audience which suggests that Russia alone may be a big enough consumer market for selling SPAM (at least for Mr. Alexander S Kopylov). Here is one link I extracted from some Srizbi SPAM emails which shows the type of people who actually pay these guys to promote their businesses.
http://standartraskrutka.ru (electronics related)
It’s a well known fact that only a handful of Botnets are responsible for the majority of worldwide SPAM. How hard would it be to shut down these Botnets by stopping the controllers, given that these are professoinally managed servers? I don't know if 'Alexander S Kopylovm' is a real person or just a code name, but what I know for sure is that these guys own domains, purchase hosting, give out real phone numbers, and still remain untouchable. The reason for this is something for which I don’t have any answers yet, maybe someone else can solve this mystery.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
I would point out that a lot of the botnet, spam and malware “businesses” are actually organized crime rings, and that many of these people are simply not being pursued or prp-actively hampered in their illegitimate operations. ROKSO was the first to place these people on the map and their boards, but no one really went after the criminals (with some exceptions) in the way they should have.
If you want this to stop - then you pursue the purveyors. If you don’t want it to stop - you let them continue to operate. Simple enough to understand - the real question is: why haven’t they been pursued?