Application security, Threat Management, Incident Response, TDR

Ron Paul spam blast linked to Ukrainian botnet

Spam messages promoting Republican presidential candidate Ron Paul, distributed in October, have been traced to a Ukrainian botmaster.

Joe Stewart, senior security researcher at SecureWorks, said this week that after investigating the incident, he was able to track the unwanted emails back to the Srizbi botnet, itself a component of the “Reactor Mailer” spamware.

The creator of Reactor Mailer is a spammer known as “spm,” who has claimed to have hired some of the best coders in the former Soviet Union, including a Ukrainian national called “vlaman,” according to Stewart.

After logging on to the Reactor Mailer interface, researchers found a list of saved tasks, including one called “RonP_3,” sent by a spammer using the name “nenastnyj.” The operation – which spammed millions of email users – was propelled by 3,000 bots.

Blogs and web-based commentators were quick to blame the campaign of Paul, a dark horse candidate for the Republican nomination and the representative of Texas' 14th Congressional District, for the spam run.

The investigation did not solve the mystery of who paid nenastnyj to blast the unwanted emails or how the sponsor got in touch with the spammer.

“The evidence shows that despite being capable of sending upwards of 200 million messages a day, nenastnyj is not one of the major spammers of the world, and seems to focus on spamming as an affiliate for larger ‘kingpin' operations,” Stewart said in a report. “The Ron Paul spam was very much a ‘one-off' job among the other tasks in the Reactor interface. It almost seems as through there may have been some pre-established relationship between the sponsor of the spam and nenastnyj.”

Stewart thanked researchers at myNetWatchman, IronPort and Spamhaus for assisting him in the investigation.

Symantec researchers warned in October that hackers could affect the 2008 presidential election by using keyloggers, phishing messages or hacking.

The campaign of Republican rival Rudy Giuliani fixed a vulnerability on the former New York mayor's website that could have allowed attackers to perform SQL injection attacks to expose volunteers' private information.

Paul, still considered a long shot for the Republican nod, has gained surprising momentum before the party's primary elections and caucuses, riding libertarian and non-interventionist views to raise more than $10 million in the fourth quarter of this year's fundraising.

Stewart told today that the spam run seems to have been inspired by political idealism rather than financial gain.

“I don't think there was any financial incentive involved, other than maybe to get Ron Paul in and get rid of the Internal Revenue Service,” he said. “Other than that, there's no incentive. It's purely political.”

A Paul campaign official could not be immediately reached for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.