Henry stern - turning point on war on spam - atlseccon2011

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Spam after “My Canadian Pharmacy”Henry Stern, Senior Security Researcher



© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Source: SenderBase.org

0.0

50.0

100.0

150.0

200.0

250.0

300.0

350.0

400.0

450.0


• Leading pharmaceutical affiliate program, SpamIt.com, shuts down abruptly. Rustock botnetsimultaneously ceases activity.

• “Al Capone”-style takedown by Russian police.

• Kommersant: Despmedianetted $120m since 2007. Owner, Gusev, received $2m in revenues.

The New York Times, “E-Mail

Spam Falls After Russian

Crackdown.” October 26, 2010.


• Spammers

Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic

Deliver messages to massive address lists.

Purchase domain names and host landing pages.

• Affiliate Programs

GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz

Host back-end order processing systems.

Provide customer support.

Pay high commissions to spammers.

• Fulfillment

Based in India and China.

Mail fake or generic pills to customers.


Bulker.biz - MyCanadianPharmacy

• This investigation begins with a massive spam attack for “MyCanadianPharmacy” and tracks the spam back through the pharma supply chain

GlavMed - Storm Botnet and SpamIt.com

This investigation begins with the Storm botnet and its “Canadian Pharmacy” spam and traces the botnet and spam back to GlavMed, the supply chain organization.

Bonus: Reactor Mailer Botnet

The largest capacity spam botnet ever.




“Advertisement”

Call to Action URL Advertising

Pharmaceutical Web Site

“Hashbuster” text


• 20 Billion Spam Attack in Two Weeks

1.5 billion messages per day

• Spam Trickery

2000 unique spam content mutations

New Content every 12 minutes

1500 unique domains used

New “Call to Action” domain every 15 minutes


Rank Network Owner CountryCount%

1 Telefonica de Espana Spain 6.7%

2 France Telecom France 4.3%

3 Proxad France 3.4%

4 Telecom Italia Italy 2.6%

5 Deutsche Telekom AG Germany 2.2%

6 Cableuropa - ONO Spain 2.2%

7 Telemar Norte Leste S.A. Brazil 1.8%

8 Wanadoo France France 1.7%

9 Telefonica de Espana SAU Spain 1.7%

10 TELECOMUNICACOES DE SAO PAULO S.A.Brazil 1.7%

Zombie Population

by Country

Zombie Population by

Network

Top 10: 28% of spam

Top 25: 50% of spam


• Pharma Sites (9)My Canadian Pharmacy

International Legal RX

US Drugs

Super Viagra

Viagra Pro

Generic Viagra

Cialis Soft Tabs

Viagra Soft Tabs

Maxaman

Other Sites (6)Virility Patch

Super HGH (flash)

SpermaMax

My Replica Rolex

Exclusive Caviar Online

Double Your Dating






1592 Wilson Avenue

Toronto, ON M3L 1A6


18 more fraudulent elements including

Fake Certificate

"All orders are received via a secure server” - No HTTPS

Fake Verisign Logo

Fake BBB Logo

Fake Pharmacy Checker Rating

Fake Canadian International Pharmacy (CIPA) License Number

Fake “Verified by Visa” Logo


DNSstuff.comMastercardLatin American and Caribbean IP address Regional Registry New World Network University of CA San DiegoCompass Communications, Inc. Korax Online Inc. Verizon Internet Services Inc. IronPort Systems, Inc. SuperNewsThe Internet Channel MOREnetCrystalTech Web Hosting Inc. HickoryTech Corporation AT&T WorldNet Services

VISA INTERNATIONAL

Level 3 Communications, Inc.

US Dept of Justice

NTT America, Inc.

FBI Criminal Justice Information Systems

FBI Academy

XO Communications

Pfizer Inc.

Level 3 Communications, Inc.

Savvis

American Digital Network

Drug Enforcement Administration (DEA)

Health and Human Services (FDA)


1. Registered domain bigamousetract.info

Registered with 1-877namebid.com

Registered by Tobyann Ellis in Longview, WA

+68 phone number

dublin.com email

2. DNS servers

„NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil

„A‟ Record for web server points to Korean Telecom IP

3. Web server

bigamousetract.info server on Korean Telecom network

Web site images from Brazil, Slovenia, France, Greece, Netherlands

Spammers obfuscate web site connection using redirectors, framing, scripting, zombie proxies

4. Using “Fast Flux”

IP addresses for web and DNS servers changing every five minutes


Sorry, but we can‟t process your credit card right

now. Sales manager will contact you in 24 hours.

If you don‟t want to wait for sales manager, you

may try to make a purchase using another credit

card. Thank you!



• Messages from hosting company Intercage.com

• Intercage located at:

1955 Monument, #236

Concord, CA, USA

• Long history of spam and malware support

250 domains hosting “CoolWebSearch” Exploits

WMF exploit hosting

Phishing support



Server

located in

San Jose, CA






“Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs,

pharmaceutical or Controlled substances found.”

Note: Subsequent orders were shipped from Shanghai China and

contained the active ingredient. We believe the manufacturer was

replaced.




• Investigated credit card merchant account

Unable to obtain any details

$84.95 refunded to my credit card

• Second order placed

Received 10 Pfizer-branded pills from Shanghai, China

New shipping and packing method

Contained full active ingredient


• Estimated at $150M/year

• Monitored “Zombie Proxy” and counted number of credit card transactions per hour

• Comparables - Christopher Smith (rizler) profits > $20M

• Confirmed with law enforcement and SpamHaus



© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37

Spam Engines

(SMTP)

Landing pages

(HTTP)

3.School5. Super

Node

4. Job: Spamming

2. Storm is Born

1. Recruitment Spam



• Storm has sent a number of spam campaigns including

Phishing financial institutions

Mule Recruitment Spam

Pump and Dump stock market manipulation image spam

Pump and Dump stock market manipulation MP3 audio spam

Pharma spam for Canadian Pharmacy

• The vast majority of Storm spam has been for Canadian Pharmacy




• Many theories about the relationship between storm and pharma spam

• A capacity issue unveiled the primary relationship


• Spamit.com service manages spam domains and fulfillment

Registers spamvertized domain, creates DNS records, NS servers, websites

Botnet owners using Spamit service receive feed of live spam sites

• The Storm botnet retrieved a list of domains but received

• Storm used this string and other website boilerplate in the spam

• Proven link between Storm, SpamIt.com and Canadian Pharmacy

“The system is temporary busy, try to access it later.

No data can be lost.”



Documentation excerpt for configuring web sites

“We take care of their entire shopping experience:

fulfillment, customer service, and shipping, and we

track the sales generated from your site.”


From Joe Stewart, SecureWorks

Source: Joe Stewart, Secure Works


• Modeled after distributed computing.

• Spam as a Service.

• Web user interface made bot spamming accessible to anyone.

• Responsible for 50-60% of global spam.

• McColo black-hat data centre in San Jose office building.

• Strong ties to SpamIt.com.

• Disconnected by upstream network service providers.




0

50

100

150

200

250

300

350

400

Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07


• The botnet formerly known as Storm.

• Notorious SpamIt.comaffiliate.

• Taken down with legal and technical measures.


• Database leaked to law enforcement, industry.

• Ceased operations on October 1, 2010.

• Russian police press charges against owner, Gusev.


• Ceased spamming between September 20 and 23.

• Shutdown coincided with SpamIt.com shutdown notice.

• Cisco SIO observed a spike in IPS events after shutdown.


• Operated by Georg Avanesov.

• Arrested in Armenia in October 2010.

• Alleged SpamIt.com affiliate and botnet reseller.


• Operated by Oleg Nikolaenko.

• Alleged SpamIt and SanCashaffiliate.

• Arrested in Las Vegas on November 4, 2010.

• Charged with felony CAN-SPAM violations and mail fraud.

• Pled “Not Guilty” and held without bail.


Source: IronPort‟s Spam Collection and SenderBase.org

0

50

100

150

200

250

300

350

Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06

All Spam Pharma



• 2 pharma affiliates remain.

• Grum and Lethic

Last two major botnets sending pharma and replica spam.

• Cutwail

Focused on social engineering-based viral attacks.

Targets enterprise users, finance departments in particular.


• High-volume spam will soon end.

• Delivered spam volumes will not change.

• Botnets monetized in more subtle ways.

• Fake anti-virus software.

• Rockphish/Avalanche gang gave up phishing for Zeus.

• Email attacks are becoming more targeted.

• More small-scale attacks aimed at high-value targets.

Thank you.

Technology

Henry stern - turning point on war on spam - atlseccon2011