Become a fan of Slashdot on Facebook


Forgot your password?
Crime Spam IT

The Gang Behind the World's Largest Spam Botnet 58

tsu doh nimh writes "A Wikileaks-style war of attrition between two competing rogue Internet pharmacy gangs has exposed some of the biggest spammers on the planet. Brian Krebs uncovers fascinating information about a hacker named 'GeRa' who is supposedly behind the Grum botnet, which is currently sending about one out of every three spam emails worldwide. The story also points to several possible real-identities behind the Internet's largest spam machine."
This discussion has been archived. No new comments can be posted.

The Gang Behind the World's Largest Spam Botnet

Comments Filter:
  • Priorities (Score:5, Insightful)

    by SJHillman ( 1966756 ) on Thursday February 02, 2012 @09:12AM (#38901509)

    MegaUpload: Some people love it, some people hate it. Most of their damage (much of it alleged) is limited to a single industry and affects a tiny percentage of their bottom line

    Global Botnets: Universally hated with very real damage caused in terms of time spent, infrastructure upgrades, spam filtering, etc, plus I'm sure a lot of that spam is also used for phishing and other activities that cause further damage. It affects pretty much every company and individual with any sort of online presence. I don't have any numbers, but I imagine the cost of spam botnets cause damage that's at least an order of magnitude greater than what copyright infringement is even claimed to be (nevermind the smaller amount it actually is).

    But hey, glad we took down the one that also served legal uses.

    • Re:Priorities (Score:5, Insightful)

      by SuricouRaven ( 1897204 ) on Thursday February 02, 2012 @09:17AM (#38901531)
      It shouldn't even be that hard. The spam-botnet itsself can't be easily taken down, true - decentralised C&C, that sort of thing - but they are using it for pharmacutical scams. That means the spam is there to promote a website. Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable. Where is the megaupload-style international police operation to shut that down? Instead we have a bunch of vigilantee hackers, hardly an ideal solution.
      • Re:Priorities (Score:4, Insightful)

        by shentino ( 1139071 ) <> on Thursday February 02, 2012 @09:22AM (#38901561)

        My guess is that the credit card companies that are collecting processing fees for the actual purchases don't mind the extra business.

        • Re:Priorities (Score:5, Insightful)

          by Peter Simpson ( 112887 ) on Thursday February 02, 2012 @09:30AM (#38901629)
          Yeah. You know, if the CC companies *really* wanted to shut these guys down, it seems like they could do it by identifying the stream of transactions that trace back to one or two payment processors in their network. But there's money involved, so I guess that's not going to happen.
          • I've been saying that to anyone that cared to listen for years. As long as Visa/MC/the banks/processors get their cuts and the chargeback level stays low, they do not care who or what is transacting.

          • Still, aren't the CC companies and banks the weak point in spam operations? Surely the government would be able to lean on them even harder than they can lean on some foreign ISP regarding a website.

            But every time I read about spammers like this, I think of the rubber stamp from the movie Top Secret! [].

        • Unless those processing fees are from donating money to a leak site. That money's no good.

      • by Anonymous Coward

        Also, since if people are buying stuff through it means there should be a money trail to follow...

        • Re: (Score:2, Insightful)

          by PopeRatzo ( 965947 ) *

          Also, since if people are buying stuff through it means there should be a money trail to follow...

          And who wants to bet that the money trail would lead to places and people that the "enforcers" would rather we not know?

      • Re: (Score:2, Insightful)

        by Aighearach ( 97333 )

        the problem is that the scams can use ad-hoc resources cobbled together from infected systems, there is no need to have a permanent domain. People don't need to get their by searching, the spam provides them a link. So shut down the server. Just be aware the server's legal operator wasn't involved and now their sites are down. And the scammers failed-over to the next batch of infected systems.

      • Re:Priorities (Score:5, Insightful)

        by KiloByte ( 825081 ) on Thursday February 02, 2012 @09:31AM (#38901635)

        Spammers can use flux hosting for their websites so this part is not easy to target. Accepting payment, though, is something that's trivial to block -- if there was any will to do so.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Oh yeah, sure. It'd be about as easy as blocking payment to some other really damaging websites such as wikileaks. /sarcasm

        • by houghi ( 78078 )

          Unfortunately not as trivial as it sounds.
          A good step would be that the USofA starts using the chipset, like the rest of the world does. This would already help a LOT with stolen cards.

          It is not as if they would say: please transfer X amount from creditcard Y to my own account. What they do is a bit more complex. They are pretty good in hiding sales under the radar.
          A way would be to verify each sale by an SMS or any other means. This will be extremely inconvenient for the user.
          As with DRM, it will harm the

        • flux hosting? Heh, they just pick one of the many hosting companies that do nothing about spam reports received via or emailed directly.

          Case in point? I received spam last Friday, which has redirects to: 199.10 2.228.2 19/~ lig htfoo/tracking/rd/t-a-x/main/jonxqo The IP address is with ServInt. Despite contacting them via their abuse@ address, the live chat feature on their website, and their Facebook page (from which they have blocked me by now) the site is still up. And ServInt is just one exa

          • I just started digging into finding Servint's upstream provider today because of all the fuckers abusing their servers (1-3 spam mails a day from as many scam companies with changing names). In my findings I also ran across 11 years old threads about their completely disgusting business practices. When reporting spam to them back then they threatened the spam reporters with reporting THEM as spammers! See the Spamcop mailing list 2000-2001 for more miserable reading.

            From what I've found about Servint it loo

      • Re:Priorities (Score:5, Insightful)

        by Hentes ( 2461350 ) on Thursday February 02, 2012 @09:37AM (#38901669)

        So next time a company will spam in the name of a rival, thus baiting authorities to take it down. Just because they are the ones advertised is no proof that they ordered the advertisement and if they did that they know that it's being achieved by illegal spam.

      • by slart42 ( 694765 )

        Problem with that is that I'd be able to get any web site taken down by paying people to send around a little spam linking to it :)

        • So you follow the money trail back one or two steps further to the guy that accepted money to send the spam and the operators of the botnet.

          It's not that hard. The government knows how to do this. It's just not a high priority.

      • Re:Priorities (Score:5, Insightful)

        by Zocalo ( 252965 ) on Thursday February 02, 2012 @09:47AM (#38901723) Homepage
        Chances are the website is also hosted on the botnet, thousands of times over, across possibly as many domains and sub-domains. The spammers can then use Fast Flux DNS [] to cycle between random selections of hosts every few minutes or so. That means you need to take out the C&C servers to take down the website(s) as well, and even then there's no reason that the bots could not keep on operating in autopilot while the operators try to regain control.

        Realistically, there is only one way to stop spam and that's to disrupt the money flow between the people that buy products from spam and the spammers to such an extent that it is no longer profitable. That's certainly not going to be easy, but for all its faults SOPA would have provided some of the necessary muscle needed to force Mastercard and Visa to try and prevent payments to known spam operators through its provisions to block financial flow to such sites (it's potential use for preventing sales of fake Viagra is why Pfizer is on the SOPA supporter's list). Another avenue of attack is blacklisting banks that can be shown to be processing spam related payments, especially since research [] has shown that there may only be a handful of banks prepared to deal with spammers in the first place.
      • by EXrider ( 756168 )

        Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

        Probably because zombie machines on the botnet are the ones hosting the website(s).

      • by kryliss ( 72493 )

        The reason something like this doesn't get shut down is because companies spend money to get rid of the problem, money spent is taxable, more money spent, more taxes paid.... then the next version of spam/virus/malware/etc... more money spent, more taxes paid... rinse and repeat.

      • Remove the website - which must be hosted *somewhere* and the spam ceases to be profitable.

        It's more on the line of: remove the website - which isn't easy because it's most of the time hosted by a company that is accomplice - and another one pops up in a mater of hours.

      • For more information: []

        This will tell you all you need to know about why it hasn't been done, direct from the experts in the field.

        Short form: the Russians aren't about to take down a "legit pharmacy" just because of abuse of "referral programs".

    • by Anonymous Coward

      It affects pretty much every company and individual with any sort of online presence.

      It's too bad that banks, credit companies, and others who are hurt by spam and botnets don't have public service annoucements on TV and in AARP that say something like "Consider all email to be scams!"

      It' is interesting that my financial institutions no longer send links when there's some sort of update or annoucement. Their emails just say "log into your account and see ..."

      It seems to be old people (70yrs+) that really get snookered - at least that age group seems to be the largest segment of victims. It'

    • Re: (Score:3, Interesting)

      by somersault ( 912633 )

      time spent, infrastructure upgrades, spam filtering, etc

      I of course hate spam, but that type of stuff does keep a lot of Slashdotters employed.

      Good job on being spectacularly biased and imagining up all those useful pieces of information to back up your viewpoint.

      • by Anonymous Coward

        Good job on being spectacularly biased

        So your point is that killing keeps many detectives, coroners, and funerary home employees working. So it's good.

        • On a moral scale it's not good. On an economic scale, it's probably neutral-to-good right now, as it frees up jobs for other people, or gets rid of people drawing government welfare :p

    • >But hey, glad we took down the one that also served legal uses.

      Same comparison could be made between action taken by US against drug cartels and Taliban, al-Shabaab, etc.

    • by Pope ( 17780 )

      False equivalence, rear your head!

    • by Splodgey ( 951669 ) on Thursday February 02, 2012 @10:38AM (#38902169) Homepage

      Destroying this botnet could have detrimental effects on men with tiny penises worldwide!

    • I feel your pain. The unbalanced allocation of resources mirrors so many policy decisions, from law enforcement to military involvement. If we could just use /. polls to drive these decisions, spammers would experience the same wake up call as the Somalis who took those aid workers hostage.

    • by alaffin ( 585965 )

      I guess, by your logic, we should bother to try and take down Global Botnets either because there are rapists and murderers out there who have yet to be caught. Obviously we have our priorities mixed up.

      Leaving aside the whole "MegaUpload was a legitimate business" argument it's likely a matter of low hanging fruit. Shutting down a botnet is difficult. It's comand and control structures are usually obfuscated and redundant. It's operators are (usually) bright enough to cover their tracks. Innocent peop

  • by Cid Highwind ( 9258 ) on Thursday February 02, 2012 @10:38AM (#38902179) Homepage

    Over a 3-year period, GeRa’s advertisements and those of his referrals resulted in at least 80,000 sales of knockoff pharmaceuticals, brought SpamIt revenues of in excess of $6 million, and earned him and his pals more than $2.7 million.

    ...and that's why we will never be rid of spam: because at least 80,000 people are dumb enough to buy boner pills over the internet from someone who spammed their inbox with poorly-spelled sales pitches.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      The trouble is and always has been that money is really hard to follow. How do you think the federal government manages to lose TRILLIONS of it?
    • by Tom ( 822 )


      You have convinced me to change my position on spam.

      From "shoot the spammers" to "shoot the idiots who buy from them".

      The only issue is that we must shoot idiots faster than they breed, and that is going to be challenging.

  • "Syrian" hackers on a U.N. Peacekeeping Mission: []

    Syria Cyber War Opens New Front In Russia

    02 February 2012

    By Jonathan Earle

    The cyber front of Syria's year-old civil war spread to Russia this week as pro- and anti-government bots splashed criticism and expressions of gratitude across the Russian Internet, and Syrian hackers attempted to commandeer the website of a Russian embassy.

    The attacks are a response to Russi

  • by Marrow ( 195242 ) on Thursday February 02, 2012 @11:41AM (#38902755)

    If actual products are being shipped (as opposed to pure fraud), then it should be possible to trace the physical deliveries back to their source. Pharmacy products are not e-product. They are physical. So if these products are being marketed through illegal means, and are probably illegal products themselves, then why not follow them back to their source.
    At the very least, the govt could make a big noise and say that goods marketed through spam are being seized enroute and people will throw their money away if they purchase them.

    • There was an article on slashdot not too long ago about websites that pay you to act as a small "shipping/receiving" drop point for these illegal online pharmacies...

      I try and search it, but slashdot search doesn't really bring it up...

  • One of the two hackers' names the author "uncovers" is Vasily Ivanovich Petrov which is basically one of many possible variations of John Doe in Russian. While there is a possibility for someone to be named this way (in fact, Wikipedia has an article on one []), it seems highly doubtful that is the person's real name.
  • by equex ( 747231 ) on Thursday February 02, 2012 @02:11PM (#38904743) Homepage
    what does this have to do with Wikileaks?

"Everyone's head is a cheap movie show." -- Jeff G. Bone