Chat Logs Reveal Origins of Cutwail Botnet, Botmaster Identity
As part of an operation against a fake pharmaceutical spam operation, Russian authorities found chat logs that provide details about the Cutwail botnet and its creator.
Russian investigators have uncovered chat logs between the botmaster in charge of the "Cutwail" botnet and a founder of a fake pharmaceutical spam operation that hint at the botmaster's identity.
The chat logs were discovered by Russian law enforcement on a computer belonging to Dmitry Stupin, a co-founder of "SpamIt," according to Brian Krebs, a security writer on Krebs on Security. SpamIt was the largest fake online pharmaceutical affiliate program in the world before closing its doors in October 2010.
The chat logs provide a behind-the-scenes look into how Cutwail became the largest spam network in the world after Rustock was shut down as well as several clues to the identity of the person masterminding the operation. Previously included in the top three, Cutwail and its variants currently account for approximately 22 percent of all spam on the Internet, according to M86 Security.
Using the codename Google, the person in charge of the Cutwail botnet had extensive dealings with Stupin. The botherder used close to a dozen affiliate accounts at SpamIt and made nearly $175,000 in commissions using Cutwail to advertise rogue pharmacies, according to Krebs.
The botherder rented out Cutwail to other spammers and SpamIt affiliates were the biggest client base, according to Krebs. At some point, Stupin suggested using Cutwail to create a new affiliate program, Warezcash, to sell OEM software, such as pirated copies of Microsoft Windows and other popular software titles. Information on how to access various parts of the botnet infrastructure, including the interface, statistics, technical support forum and user manual, were also included in the logs.
According to analysis by researchers at University of California at Santa Barbara and Ruhr-University Bochum in Germany, the Cutwail spam engine is rented to a community of spam affiliates who pay a fee to use the infrastructure. These "customers" receive access to a Web interface that simplifies the process of creating and managing spam campaigns.
While Cutwail may have originally been used by cyber-criminals to send out fake pharmaceutical and software spam, in recent years, it has become "a major spam cannon" distributing malicious software such as Zeus and SpyEye Trojans, according to Krebs.
Recently, Cutwail was observed sending out spam messages with subject lines relating to the Automated Clearing House, confirmation orders for airline tickets, scanned document or Facebook notifications, according to M86 Security researchers. The messages contained links which directed users to malicious sites which attempted to download malware on the victim machine.
Cutwail has also been behind several "ransomware" attacks, where a hacker takes over the users' files and blackmails the recipient to get them back, according to Krebs.
The chat logs also contained some clues that may help Russian authorities track down the team behind Cutwail, such as the botmaster's mobile number. The number appears to have been used to register a number of domains by a "Dmitry S Nechvolod," according to historic WHOIS records. Krebs conceded this could be a pseudonym or an innocent bystander implicated in the scam.
However, the chat logs also listed the account information for WebMoney, a popular system of virtual currency used in Russia and Eastern Europe, that SpamIt's Stupin used to send affiliate payments due to Cutwail's team. The name on the WebMoney purse was Nechvolod Dmitry Sergeyvich, according to Krebs.