There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others.

This link was http://advx.....ru, which took me to a Russian web site. This web site revealed to me how these spammers get customers to sell their botnet spam. This web site was probably owned by the Srizbi gang or some front end guys and was trying to sell spam services/hosting......

------------

This post is a continuation of my previous article where I talked about Srizbi's newly discovered command server in Estonia and speculated a relationship between Xarvester and Srizbi botnets. The initial spam sent by Srizbi at that moment gave me some breakthrough information about the gang behind the Srizbi botnet and their business model.

I showed in my previous article that it all started when we saw a potential Srizbi communication inside one of our customer's networks. This event was enough to give us the compromised host information along with the CnC's IP (92.62.100.97) address and port information (TCP 80). After seeing Srizbi come alive again, the first thing I wanted to do was to grab a Srizbi sample which could communicate with this new CnC on port 80 from my botlab's controlled environment. Running that sample for a longer period of time could give me some valuable information like:

1. Spam template/Spam Theme.
2. Initial targeted SPAM.
3. Srizbi binary update (if any).

Unfortunately I was not able find any Srizbi sample from my MW DB which could talk to this particular CnC. Luckily, some tweaking in my sandnet environment fooled an older Srizbi sample into talking to the new CnC. This trick worked really well and the Srizbi bot inside my lab successfully downloaded the spam template from new server and started sending spam.

Some of the initial spam captured by my spam filter was for a Russian audience. Although the emails were using a Russian dialect (which I was not able to understand), one embedded link inside some of the emails was enough to tell me the purpose of these spam emails.

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog.  While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

In this edition of "rooting out the Bad Actors" I'm going to take a look at ZlKon, hosted by "Datoru Express Serviss, Ltd" in Latvia.

After months of silence, yesterday we finally found some Srizbi activity in one of our customer's networks. As Alex wrote in his last post, the newly discovered Srizbi CnC is 92.62.100.97. This IP belongs to Starline Web Services, hosted in Estonia. Apart of seeing Srizbi coming live again, there were two more things which caught my attention immediately.

A remarkably small number of data centers host services for those groups who operate the most sophisticated malware and botnets, known to the industry as Bad Actors.  Over the next couple weeks I'll take a closer look at the worst of the worst.

Becoming a millionaire has never been so easy but  there are some spam emails which tempt us to believe so. Here is the recent one from my SPAM trap.