Russian Denies Authoring "SoBig" Worm

by Brian McWilliams, author of Spam Kings

A Russian developer of bulk email software flatly denied reports that he or his company is in any way connected to the virulent SoBig computer worm.

Ruslan Ibragimov, owner of Russia-based Send-Safe, said an anonymously published document falsely accuses him of authoring SoBig, which was rampant on the internet in 2003.

"It's bullshit," said Ibragimov in an online interview on Monday.

The report, "Who Wrote SoBig?" (a copy of which is available here) includes a 48-page technical analysis of both SoBig and the Send-Safe bulk email program. The similarities between the software "should be considered as significant as finding a fingerprint on a murder weapon," concluded the document's pseudonymous creator, "Author Travis."

Since SoBig was first identified in January 2003, experts have suspected that the worm was created in order to turn infected PCs into "Trojan" proxies that could be used to send spam anonymously. Author Travis is the first to publicly finger a specific spam operation as the source of the worm.

Ibragimov, 30, said no one from the FBI or any other law enforcement agency has ever contacted him about the SoBig worm. He rejected the report's forensic analysis and said that it reached faulty technical conclusions.

The report noted, for example, a strong similarity in the email headers created by Send-Safe and SoBig. But Ibragimov said Send-Safe chose the particular order of headers merely to mimic Outlook Express and to better evade spam filters.

Ibragimov also said that the roughly similar release dates of new Send-Safe versions and updates of SoBig were purely a coincidence and not an indication that the programs were both written by the same person.

"We have released new builds [of Send-Safe] every week and a new version every month," Ibragimov said.

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

Ibragimov also commented that there's a painful irony in the accusation that Send-Safe wrote the SoBig worm in order to assemble a collection of "Trojaned" proxies.

"Trojans killed my business," he said, noting that many of his customers have recently migrated to "cracked" (pirated) versions of spamware programs such as Dark Mailer, for which they purchase lists of Trojaned proxies from hackers.

According to Ibragimov, Send-Safe provides customers with a list of proxies gathered by scanning the internet for computers configured as proxy servers. He claims that the report incorrectly states that Send-Safe, like SoBig, primarily uses proxies on obscure port addresses. The current list of 937 proxies provided to Send-Safe customers includes 682 using standard proxy ports--ports 80, 8080, 3128, and 1080.

The Send-Safe mailer does allow users to supply their own proxies. Ibragimov admitted that some customers might have obtained Trojaned proxies from other sources and used them with the Send-Safe mailer.

Comments on Send-Safe's discussion forum appear to confirm that the company has had trouble providing users with sufficient proxies for sending spam. Over the past 16 months, customers have frequently reported problems with proxies. On September 9, Ibragimov responded to one complaint about the service this way: "Proxy count is just a little lower than usual. We are looking for a good proxy provider for our users."

Ibragimov said his company, which employs three people, currently has around thirty users, sharply down from the hundreds it served just a year ago.

In an email, Author Travis declined to answer questions about the report. According to the document, the authors provided the information to law enforcement over a year ago. They decided to go public with the report in hopes of spurring additional research into their theory that Send-Safe is the culprit behind SoBig.

According to the document, the authors' forensic analysis of SoBig predates Microsoft's offer of a $250,000 reward for the apprehension and conviction of SoBig's creator. A Microsoft representative Monday said the company had no comment on the SoBig report. An investigation by law enforcement into SoBig is still underway, said the representative.

"Who Wrote SoBig" was published anonymously, according to its authors, because "associating this paper with any specific company, organization, group, or individual will only serve to detract from the investigation."

Ibragimov said he had no idea who authored the anonymous report. When asked whether he had any idea who might have written SoBig, Ibragimov said, "No. There are a million good programmers in the world."

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network.