In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.
Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at reactormailer.com. That domain was registered to a [email protected], an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.
When reactormailer.com was shuttered, Srizbi customers were instructed to log in at a new domain, reactor2.com. Historic WHOIS records show reactor2.com was registered by someone using the email address [email protected]. As I wrote in January, leaked SpamIt affiliate records show that the [email protected] address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.
The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.
But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.
Several key clues support a strong connection between the SpamIt affiliate Ronnie and Xarvester. For four months in 2010, researchers from the University of California, San Diego observed the top spam botnets, running samples of them in a controlled lab environment and recording which pharmacy affiliate programs were being promoted by the spam being sent through them. That research was published in an unparalleled research paper called Click Trajectories (PDF).
I asked the UCSD researchers to look back at their bot data from that period and tell me if they saw any clues about who or what spammers or spam affiliate programs may have been profiting from junk email sent by the Xarvester botnet. The researchers found several examples of spam coming from Xarvester that promoted pill sites tied to SpamIt; each of those sites that they saw promoted via Xarvester included an affiliate ID that was assigned to SpamIt affiliate Ronnie.
Unlike his mentor SPM, Ronnie appears to have been quite careful in protecting his identity. Ronnie had at least three separate affiliate accounts at SpamIt registered to his email address, and each of those accounts was paid commissions via separate accounts at WebMoney, a virtual currency that is quite popular in Russia and Eastern Europe. Frustratingly, all of the identity information tied to those WebMoney accounts is clearly fake (or at least registered to the English equivalent of “John Smith”).
But Ronnie did leave behind two clues that may offer more information about who he is. He was very active on Spamdot.biz, an exclusive underground forum owned and operated by the guys who ran the SpamIt pharmacy affiliate program. KrebsOnSecurity long ago obtained a copy of this forum, and that data shows that Ronnie’s signature always included an ad for his personal Web site — rtools.biz — an active site that sells software for maintaining large email lists. The HTML source for rtoolz.biz shows that it was registered with Google using a Google Analytics code UA-25462922-1. Unfortunately, that UA code does not appear on any other sites that I could find.
There was one other clue I thought was interesting enough to mention. Ronnie used several email addresses, but the one he used for the longest period of time was [email protected]. Turns out, this email address was used in 2008 to register the domain sulab.ru, which is an electronics and integrated software company based in Gatchina, Russia, a town situated about 28 miles south of St. Petersburg. The site was active until a few weeks ago, when I emailed the owner. Anyway, sulab.ru stands for “S. Yu Lab Ltd.” The phone number listed as a contact on sulab.ru was 8 (812)-951-20-91. According to several directories, the owner of that company is a person by the name Semyon Yurievitch Rzhevsky (Семен Юрьевич Ржевский), from Gatchina, Russia.