This link was http://advx.....ru, which took me to a Russian web site.
This web site revealed to me how these spammers get customers to sell their botnet spam. This
web site was probably owned by the Srizbi gang or some front end guys and was
trying to sell spam services/hosting......
------------
This post is a continuation of my previous article where I talked about Srizbi's newly discovered command server in Estonia and speculated a relationship between Xarvester and Srizbi botnets. The initial spam sent by Srizbi at that moment gave me some breakthrough information about the gang behind the Srizbi botnet and their business model.
I showed in my previous article that it all started when we saw a potential Srizbi communication inside one of our customer's networks. This event was enough to give us the compromised host information along with the CnC's IP (92.62.100.97) address and port information (TCP 80). After seeing Srizbi come alive again, the first thing I wanted to do was to grab a Srizbi sample which could communicate with this new CnC on port 80 from my botlab's controlled environment. Running that sample for a longer period of time could give me some valuable information like:
1. Spam template/Spam Theme.
2. Initial targeted SPAM.
3. Srizbi binary update (if any).
Unfortunately I was not able find any Srizbi sample from my MW DB which could talk to this particular CnC. Luckily, some tweaking in my sandnet environment fooled an older Srizbi sample into talking to the new CnC. This trick worked really well and the Srizbi bot inside my lab successfully downloaded the spam template from new server and started sending spam.
Some of the initial spam captured by my spam filter was for a Russian audience. Although the emails were using a Russian dialect (which I was not able to understand), one embedded link inside some of the emails was enough to tell me the purpose of these spam emails.
