Ron Paul spam blast linked to Ukrainian botnet

Share this article:
Spam messages promoting Republican presidential candidate Ron Paul, distributed in October, have been traced to a Ukrainian botmaster.

Joe Stewart, senior security researcher at SecureWorks, said this week that after investigating the incident, he was able to track the unwanted emails back to the Srizbi botnet, itself a component of the “Reactor Mailer” spamware.

The creator of Reactor Mailer is a spammer known as “spm,” who has claimed to have hired some of the best coders in the former Soviet Union, including a Ukrainian national called “vlaman,” according to Stewart.

After logging on to the Reactor Mailer interface, researchers found a list of saved tasks, including one called “RonP_3,” sent by a spammer using the name “nenastnyj.” The operation – which spammed millions of email users – was propelled by 3,000 bots.

Blogs and web-based commentators were quick to blame the campaign of Paul, a dark horse candidate for the Republican nomination and the representative of Texas' 14th Congressional District, for the spam run.

The investigation did not solve the mystery of who paid nenastnyj to blast the unwanted emails or how the sponsor got in touch with the spammer.

“The evidence shows that despite being capable of sending upwards of 200 million messages a day, nenastnyj is not one of the major spammers of the world, and seems to focus on spamming as an affiliate for larger ‘kingpin' operations,” Stewart said in a report. “The Ron Paul spam was very much a ‘one-off' job among the other tasks in the Reactor interface. It almost seems as through there may have been some pre-established relationship between the sponsor of the spam and nenastnyj.”

Stewart thanked researchers at myNetWatchman, IronPort and Spamhaus for assisting him in the investigation.

Symantec researchers warned in October that hackers could affect the 2008 presidential election by using keyloggers, phishing messages or hacking.

The campaign of Republican rival Rudy Giuliani fixed a vulnerability on the former New York mayor's website that could have allowed attackers to perform SQL injection attacks to expose volunteers' private information.

Paul, still considered a long shot for the Republican nod, has gained surprising momentum before the party's primary elections and caucuses, riding libertarian and non-interventionist views to raise more than $10 million in the fourth quarter of this year's fundraising.

Stewart told SCMagazineUS.com today that the spam run seems to have been inspired by political idealism rather than financial gain.

“I don't think there was any financial incentive involved, other than maybe to get Ron Paul in and get rid of the Internal Revenue Service,” he said. “Other than that, there's no incentive. It's purely political.”

A Paul campaign official could not be immediately reached for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.