Krebs On Security cracked the case on the malicious hacker responsible for much of the spam that cripples inboxes across the Internet.Security researchers have identified the person responsible for about 22% of all spam on the Internet. Ironically, the individual responsible for running the operation through the so-called "Cutwail" botnet goes by the codename "Google."
Hundreds of chat logs were discovered by investigators between "Google" and the co-founder of a spam operation called "SpamIt," Dmitry Stupin. These logs, discovered on Stupin's computer by Russian investigators, gave a detailed look into how "Google" rans Cutwail and how he built the largest spam network on the planet.
Cutwail, SpamIt & Russian Spammers
Cutwail operates by using the botnet as an engine that it rents to a community of spam affiliates, according to research done by the University of California, Santa Barbara and Ruhr-University Bochum in Germany. Clients are provided with a Web interface in English and Russian that makes it easy to create spam.
Image: Worldwide spambots in December 2011 from M86 Security.
"Google" rose to fame with Cutwail by affiliating it with SpamIt. Cutwail at first spammed about stocks but found in 2007 that the conversion rate for those were low and switched to pharmacy-related spam. Later, "Google" and Stupin created a scheme to sell original equipment manufacturer software, such as pirated copies of Windows. This new scheme was dubbed "Warezcash." A meeting was arranged between "Google" and Stupin in which chat logs give "Google's" mobile phone number.
This is where "Google's" identity starts to unravel. The phone number, along with a previously known email address, was able to track Web site registration for multiple domains such as antirookit.ru and lancelotsoft.com. These domains were registered to a person named Dmitry S Nechvolod, who is presumed to be "Google."
Krebs notes that Dmitry S. Nechvolod is not necessarily the real name of "Google." It could be a fake or a redirection. Krebs does say there are strong connections based on payment information given by "Google" to SpamIt. Through a virtual currency called "WebMoney," the account that SpamIt sent money to "Google" was registered to a person named "Nechvolod Dmitry Sergeyvich."
The Cutwail botnet has morphed over the years. It started simple with stocks then pharmacy-related spam. It later moved to OEM software before sending phishing emails with malware attachments from the Zeus and SpyEye Trojans, according to Krebs. Airline tickets, Facebook notifications and other various schemes came later. Cutwait has more recently moved on to "ransomware" attacks in which a malicious hacker takes over a users' files and attempts to blackmail the recipient to get them back.
Cutwail is still alive and active. After the take down of the Rustock botnet, it was the time for Cutwail to shine. There is good news though in the global war on spam. 2011 saw some of the lowest levels of email-related spam in the last decade at 70% of all email volume in November 2011, according to Symantec (see above image). That is down from its peak of 90%. Part of the decrease is the increased efficiency of security researchers in identifying and taking down botnets. Spammers have also moved to social networks like Twitter, Facebook, Google+ and the comments of popular blogs.