Spam from the botnet, for the botnet
You've been getting spam lately saying "John Mccain Taps Osama Bin Laden As Running Mate" or "Beijing Olympics cancelled"? And a couple of weeks ago, CNN kept sending you their Top 10, and then's BREAKING NEWS hit you?

It's the botnet, and if you have no idea what I'm talking about, read this.

The project is getting unwieldy, so here's a timeline which I will attempt to decorate with links as I get the time.


Now here's a thought. If BN1 were involved in the Russian invasion of Georgia, in terms of a DDoS of Georgian Internet services before the event, I would expect to see less bandwidth devoted to expansion spamming during that time. This plot is crude (it's been many years since I dusted off gnuplot) but:

You tell me. Is that meaningful?

2008-08-04: The botnet switched email formats today, with a rather nice-looking knockoff of the CNN news format, but the exploit spammed is the same. It took me a bit to rewrite the analysis code (because I honestly didn't expect to have to maintain it!) but I've resumed tracking the links spammed. Most of those are pretty much the same, except that there's a new CNN-like page being hacked onto some of the new servers.

The new spam all has the subject " Daily Top 10".

Incidentally, I have about 1300 IPs of botnet PCs being used to inject this spam (and a strategy, not yet implemented, to find more by datamining more of my records). If anybody can think of something interesting to do with that, I'd be happy to hear your ideas.

2008-08-08 - In case you weren't paying attention, the botnet subject du jour is "CNN Alerts: My Custom Alert" - I ended up with 3,498 copies of the Top 10, though. Oh, and I misremembered the number of botnet IPs I have. It was 13,000 -- and now it's 15,000. (And change.) I think I'm going to have to get that blocklist DNS server up that I've been considering for so long.

2008-08-10 - If you were wondering, the "Internet Explorer 7" spam is not from the same group (I'm calling it "Botnet 2"); none of the origination IPs match the list of IPs injecting these spams here. But they do seem to be using the same modus operandi, with hijacked servers to host their exploits. If I've got time tomorrow, I'll try to set up the same kind of scanning I've got for this botnet. ("This is getting out of hand! Now there are two of them!")

In other news, the Storm botnet has resumed spamming some non-exploit (read: Canadian pharmacy) spam amongst its attempts to expand, and I just got a run-of-the-mill spam entitled "German farmer attacks police over cows held in dark," which is not from the botnet, either. I'm heartened to note that someone is still upholding the tradition of funny headlines. I'd started to miss those.

2008-08-11 - but at least we have a new landing page today. In an interesting new twist, it pops up a window loaded from We've already seen, as it's already been spammed as a normal landing page carrier. But this is is a first, that other landing pages are linking to another hijacked server. I do believe it's simply been hijacked, though, as the registration is a consulting company in Germany. I've emailed them. The morning will be starting there soon; let's see if their admin contact is an early riser.


2008-08-13: - BREAKING NEWS: Botnet switches email formats! Now that I'm parsing the new mails correctly, though, we can see that they haven't changed landing pages yet. But o frabjous day -- we're getting new headlines!

BBC NEWS spam is not the group I'm tracking here, and due to the way I've built things, it's difficult for me to extend the tracker. But I intend to soon. (BBC NEWS also doesn't overlap with BN2, so I've gone out on a creative limb to call this group "Botnet 3".)

2008-08-13, evening: Yep, BN1 has changed their landing pages to look like MSNBC now.

2008-08-15: Well, now I'm not so sure these botnets are separate. BN1 has been dropping some spam that sure looks like the modus operandi of BN3. I'll need to develop some better tools to examine this theory, though; BN3 doesn't spam the same addresses as BN1, let alone from the same IPs. It's all very confusing (which is why it's fun).

2008-08-16: Still quiet; same subjects, same email format, same landing page. I've spent some time going back over old landing pages and getting things organized -- and I discovered one landing page that had been re-hacked -- twice, within 4 hours of one another, yesterday. Congratulations to for the Most-Hacked Award of the day for August 15, 2008.

Incidentally, as of tonight I have 35,162 botnet IPs identified in BN1.

2008-08-17: Yeah, I thought it was time. New mail (BREAKING news), new landing page (anonymized to "Watch Free Movie" again), and new bugs discovered in my scanning routines, ha. (Fixed, of course.)

2008-08-17: Stop the presses! They've switched back to a CNN Top 10 Video email, with a format containing 16 links. The landing pages haven't changed, though.

2008-08-18: You know how when you start a fun little project, and you need to do something like, say, parse MIME, and you cobble together some Perl to do what you need to do? And then you start relying on that code until it breaks due to something you didn't think of? And then you grumble and rewrite it all with MIME::Parser, which you should have done in the first place?

I hate that. (Note to self: next time, check CPAN first.)

2008-08-18: You know how when you're assuming constant subjects, the object of your pursuit changes strategy and uses the To: name in the subject to throw you off, so you have to implement a second level of searching to filter your SQL replies after looking at the headers you have stored in files based on a simple field delineation in your target subject?

I hate that. (The subject in question: "Hi %(name)", where name is the name in the addressee in the header.)

2008-08-20: All Britney, all the time -- and linking directly to the malware executables for now. Which is good, because I was starting to feel a little ragged, trying to keep up with analysis of the HTML and Javascript pages. But as you can see, my viewer is a little disappointing when confronted with binary files.

I've been working a little with Win32::Exe (remember, kids, always check CPAN first) but it's tough going, and frankly I'm not yet sure what static analysis can bring. Unfortunately, the dynamic analysis tools I've tried so far have been somewhat underwhelming in their analysis of the malware I've tried.

2008-08-21: Well, this is less fun -- the current modus operandi (since about Aug. 18) is to link directly to a hosted executable, usually with a picture in the email (nude Angelina Jolie, for instance). Block all incoming mail with links to executables, and you're good.

I'm using the time to reassess my monitoring process, summarized here. The original datamining was based on the subjects of the emails, then on the users receiving them. But now that I know a whole lot of IPs I know to be the botnet, I can simply look at whatever those IPs are feeding me, and go from there. There's a lot I was missing, and I can also see more clearly the other types of spam the botnet has still been sending me all along.

I can still look at existing subjects to get more candidate IPs to be investigated as botnet members (and will have to do that), but this is a much cleaner way of doing things. Work is ongoing.

Oh -- my other epiphany in this respect. I've been thinking of spam category as being a property of the email. Conceptually, this is wrong -- spam category should logically be a property of the link spammed. (If there's no link, then the content determines category.) This changes the way analysis should proceed, obviously; I can simply total up all the links spammed, then categorize each one, and each mail which spammed it shares that category.

2008-08-31: Well, as you can see, they're using email names in the subject line as spoilers. I have a plan to counter that automatically, but in the meantime it makes traffic look sparse.

I've been spending time building some new scanning tools, and on gauging similarity based on mutual compression ratios. It works astoundingly well for text files, but the binaries are already compressed, so you can't detect similarity that way.

I was considering doing multidimensional scaling to cluster the pages, but (1) MDS is really hard, and (2) I'm not even sure it would result in meaningful information. I can cluster based on rough similarity, though, and that will already be pretty interesting. More later on that.

2008-09-06 - Got the name scanner working; now new subjects which incorporate the name of the addressee will cause a broader search for all similar subjects. If there are any, they'll all be grouped automatically with the subject template. This is working pretty nicely.

I also have an online page-diff viewer working. This makes it easier to see what variations are being used in landing pages. The next step in that thread would be automatic discovery of templates; then very similar pages could be stored in template form, with a list of the values filled into the templates. That would be kind of neat.

In other news, the botnet operators have been using landing pages for their standard spam runs now (forwarding to, say, Canadian pharmacy shopping sites). In the past, these landing pages have been reserved for botnet malware distribution, but this new change means that some of the run-of-the-mill spam is now showing up on this page. Sorry. Until I can automatically figure out whether a given landing page is intended to distribute malware (not an insuperable task) I'm going to have to display everything that looks like a landing page. So for the time being, not everything here is a malware site.

Anyway, here are the 50 most recent botnet spam subjects (something less than a day's worth):
Stormspam subject list
(Most recent 50)
Report run Wed Apr 8 04:29:42 2009
Subject# archivedLast foundFirst found
Blowout savings here192009-01-23 04:06:072008-10-16 01:00:37
You have received an eCard6522008-12-12 21:10:452008-09-09 04:02:58
CNN Alerts: My Custom Alert75202008-10-21 12:08:272008-08-08 00:17:46
Get in shape Fast.132008-10-18 15:59:322008-10-18 01:53:55
Your credit score142008-10-18 14:06:222008-10-18 01:50:49
Hottest price for hottest nights152008-10-17 20:39:522008-10-17 01:40:49
Huge tool for everyone162008-10-17 20:26:432008-10-17 01:25:50
McCane private party192008-10-17 20:24:502008-10-17 01:29:42
Hottest selling tips on net172008-10-17 19:54:412008-10-17 02:02:19
Hot, horny, yours162008-10-17 19:34:072008-10-17 01:12:03
Mindblowing sales202008-10-17 19:07:072008-10-17 01:20:37
Obama's private video282008-10-17 18:22:442008-10-17 01:45:28
Amaze the girls around102008-10-17 17:33:082008-10-17 01:35:15
Your path to cash172008-10-17 17:28:042008-10-17 01:38:47
How crysis can affect you132008-10-17 17:02:032008-10-17 01:25:28
80% cut on Halloween132008-10-17 16:29:202008-10-17 01:32:08
Make her come triple tonight92008-10-17 16:12:042008-10-17 02:15:22
Your way to satisfaction142008-10-17 15:58:032008-10-17 01:26:52
Amaze her with growth222008-10-17 15:50:562008-10-17 01:57:26
Take her everywhere112008-10-17 15:41:512008-10-17 01:33:21
All what you need122008-10-17 15:40:442008-10-17 02:56:50
Huge discounts on huge growth162008-10-17 15:26:402008-10-17 01:42:00
Your home video discovered122008-10-17 15:25:102008-10-17 01:51:38
Crazy low prices222008-10-17 14:38:562008-10-17 01:25:08
Crysis heat here102008-10-17 14:34:132008-10-17 01:49:03
Take her to seventh sky152008-10-17 14:11:362008-10-17 03:32:17
Enlarge your savings232008-10-17 13:26:412008-10-17 01:18:45
Dont let the crysis hit you172008-10-17 12:56:102008-10-17 01:39:07
One week-3 inches more122008-10-17 10:44:212008-10-17 01:37:04
Beat the high prices152008-10-16 23:44:232008-10-16 00:35:11
Confirm your present192008-10-16 23:08:052008-10-16 00:44:01
She wants real male192008-10-16 22:03:202008-10-16 00:56:58
Unbelievably low prices382008-10-16 21:59:482008-10-16 00:22:14
Beat up the crysis172008-10-16 21:59:212008-10-16 00:40:07
Please reply292008-10-16 21:41:042008-10-16 01:54:44
You know she wants it big162008-10-16 21:20:342008-10-16 00:41:57
Best Price Guaranteed292008-10-16 21:09:232008-10-16 00:20:26
Beat the crysis.162008-10-16 20:34:552008-10-16 00:22:15
Crazy wholesale192008-10-16 20:23:312008-10-16 00:53:27
Make your woman hot n wet302008-10-16 20:21:342008-10-16 00:10:00
Make her horny222008-10-16 20:04:172008-10-16 01:00:59
Why spend more?452008-10-16 19:59:292008-10-16 00:35:09
We have chosen the best for you172008-10-16 19:53:162008-10-16 01:32:13
Be a winner in bed272008-10-16 19:39:382008-10-16 00:44:54
Save more today192008-10-16 19:14:312008-10-16 00:12:22
Your reply needed162008-10-16 18:50:352008-10-16 00:49:35
Big discount for small orders162008-10-16 18:41:592008-10-16 00:49:43
Drive your wife wild172008-10-16 17:44:012008-10-16 00:24:23
Your private video here182008-10-16 16:22:242008-10-16 00:35:33
Your hidden secret revealed112008-10-16 14:55:122008-10-16 00:31:22

The full list is here.

And here are the 50 most recently spammed servers (bolded links returned HTTP 200 on last check, but some of those returns are non-malware boilerplate at this point; those I've flagged appear non-bolded but in parentheses and count as clear for analysis).
Stormspam malware domain list
(Most recent 50)
Report run Wed Apr 8 04:29:58 2009
Start URLCRC of pageLast foundFirst found 04:06:072009-01-23 04:06:07 21:10:452008-12-10 15:09:37 15:57:362008-11-11 04:28:00
http://www.123greetings.com3705026843-12105217002008-11-13 15:57:362008-09-09 06:27:20 02:46:272008-10-29 07:11:14 CNN2008-10-21 12:08:272008-08-10 13:16:01 15:59:322008-10-18 09:41:25 15:59:322008-10-18 09:41:25 15:59:322008-10-18 15:59:32 15:37:142008-10-18 15:37:14 15:37:142008-10-18 01:53:30 15:37:142008-10-18 01:53:30 15:24:582008-10-18 15:24:58 15:24:582008-10-18 15:24:58 15:24:582008-10-18 15:24:58 15:06:262008-10-18 15:06:26 15:06:262008-10-18 15:06:26 15:06:262008-10-18 15:06:26 15:02:112008-10-18 15:02:11 15:02:112008-10-18 15:02:11 15:02:112008-10-18 15:02:11 14:06:222008-10-18 02:11:51 14:06:222008-10-18 14:06:22 14:06:222008-10-18 02:11:51 13:51:362008-10-18 13:51:36 13:51:362008-10-18 13:51:36 13:51:362008-10-18 13:51:36 11:57:042008-10-18 07:15:00 11:57:042008-10-18 07:15:00 11:57:042008-10-18 11:57:04 11:31:542008-10-18 10:05:44 11:31:542008-10-18 10:05:44 11:31:542008-10-18 11:31:54 10:51:102008-10-18 10:51:10 10:05:442008-10-18 10:05:44 09:56:482008-10-18 05:03:34 09:56:482008-10-18 09:56:48 09:56:482008-10-18 05:03:34 09:41:252008-10-18 09:41:25 09:35:322008-10-18 09:35:32 09:35:322008-10-18 01:50:49 09:35:322008-10-18 01:50:49 08:33:382008-10-18 08:33:38 07:53:282008-10-18 03:36:23 07:53:282008-10-18 07:53:28 07:53:282008-10-18 03:36:23 07:15:002008-10-18 07:15:00 07:09:432008-10-18 07:09:43 07:09:432008-10-18 07:09:43 07:09:432008-10-18 07:09:43

The full list is here.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.