The researchers analyzed header elements of the spam e-mails to trace them back to zombie systems that were infected with the Srizbi trojan, an unusual piece of malware with highly advanced features. According to Symantec research, which has independently studied Srizbi, the trojan is one of the first pieces of malware found in the wild to operate fully in kernel mode with no userspace code. Srizbi bypasses firewalls and packet sniffers by directly manipulating the kernel-level TCP/IP stack. The Srizbi trojan is largely propagated by the well-known msiesettings.com site, which is paid by spammers to deploy viruses and trojans for spam botnets.SecureWorks collaborated with network administrators to analyze the traffic from some of the computers infected with Srizbi that were responsible for sending the Ron Paul spam. This allowed the researchers to discover the location from which the botnet was operated--a colocation facility in the US. The researchers collaborated with Spamhaus to get the server shut down and then obtained the source code used on the control system, a Python-based spam botnet management tool known as the Reactor Mailer. The logs present on the system prove that it was indeed the origin of the Ron Paul spam. Further research showed that other systems in the same colocation facility were also controlling various segments of the Srizbi botnet, and using it to transmit spam advertising replica watches and enlargement pills.
Birds of a feather, you know.