Inside the "Ron Paul" Spam Botnet

["lsi" <stuart () cyberdelix net>]

[Half the backstory, gg, lol, etc.  And we are led to somewhere in 
Eastern Europe, a dead-end I hear you say!  No, no no... let's think 
like a spammer, one who just had his botnet toasted ... he knows the 
identity of his sponsor.  That sponsor, if exposed, stands to lose a 
lot, and thus that identity is worth money.  My advice to the spammer 
now is to approach a major western media outlet and sell them your 
story.  At least that way you cover the loss of your botnet.  We'd 
all just love to find out which lowlife paid you, even more than we'd 
love to know who you are.  Don't leave the CIS tho ... - Stu]

Inside the "Ron Paul" Spam Botnet

URL: http://www.secureworks.com/research/threats/ronpaul
Date: December 4, 2007
Author: Joe Stewart

On the weekend of October 27, 2007, the Internet was suddenly 
bombarded with a rash of spam emails promoting U.S. presidential 
candidate Ron Paul. The spam run continued until Tuesday, October 30, 
when it stopped as suddenly as it began. At the same time, political 
blogs began to light up, accusing the campaign (or at least its 
ardent supporters) of running a criminal botnet for political 
purposes. We decided to cut through the spin and take a closer look 
at this botnet to determine its origins and shine some light on who 
might be responsible.

Tracking the Spam

Tracking specific spam back to a particular piece of botnet malware 
is somewhat challenging, but given the right cooperation between 
researchers who hold different pieces of the puzzle, ...

[continues at http://www.secureworks.com/research/threats/ronpaul ..]

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/