Control 126.96.36.199 Date 7-19-2012 Active
This control has more than 2 small botnets and very creative story lines.
Scrambles 1 word typically within the first 100 characters of each spam.
Very good English with reference to Dutch from time to time.
List is in order of post network usage.
That's all for this round and this small botnet.
The controller will return 3 times after the last bot then end the series.
Technical Notes: This network was detected by the XCtM Project Pattern Matching script.
The pattern here was a 4th and 5th word spelling issue. Interesting enough the spam was a story and was perfect English except for the 4th sometimes the 5th word which was completely out of place. The pattern matched the Control and the IP sequence you see above. Which flag for follow up. The words were then pattern matched and discovered one word out of place. The story was then pattern matched to be "Human Related" until the last post which was a spam link. The stories used keywords of the site, offer empathy, reason, solution as a good sales pitch would be. This was used to attract readers to follow the thread. Very easy to overlook if not monitored. The next pattern match was time of day. Weekday, 11PM to 11:20PM which ended once it was blocked completely. The IP list alternated order but never changing useragent which I didn't publish in this article because of ongoing interest in the pattern used.