henry stern - turning point on war on spam - atlseccon2011

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Spam after “My Canadian Pharmacy”Henry Stern, Senior Security Researcher

Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Source: SenderBase.org

0.0

50.0

100.0

150.0

200.0

250.0

300.0

350.0

400.0

450.0

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

• Leading pharmaceutical affiliate program, SpamIt.com, shuts down abruptly. Rustock botnetsimultaneously ceases activity.

• “Al Capone”-style takedown by Russian police.

• Kommersant: Despmedianetted $120m since 2007. Owner, Gusev, received $2m in revenues.

The New York Times, “E-Mail

Spam Falls After Russian

Crackdown.” October 26, 2010.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

• Spammers

Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic

Deliver messages to massive address lists.

Purchase domain names and host landing pages.

• Affiliate Programs

GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz

Host back-end order processing systems.

Provide customer support.

Pay high commissions to spammers.

• Fulfillment

Based in India and China.

Mail fake or generic pills to customers.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Bulker.biz - MyCanadianPharmacy

• This investigation begins with a massive spam attack for “MyCanadianPharmacy” and tracks the spam back through the pharma supply chain

GlavMed - Storm Botnet and SpamIt.com

This investigation begins with the Storm botnet and its “Canadian Pharmacy” spam and traces the botnet and spam back to GlavMed, the supply chain organization.

Bonus: Reactor Mailer Botnet

The largest capacity spam botnet ever.

Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

“Advertisement”

Call to Action URL Advertising

Pharmaceutical Web Site

“Hashbuster” text

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

• 20 Billion Spam Attack in Two Weeks

1.5 billion messages per day

• Spam Trickery

2000 unique spam content mutations

New Content every 12 minutes

1500 unique domains used

New “Call to Action” domain every 15 minutes

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Rank Network Owner CountryCount%

1 Telefonica de Espana Spain 6.7%

2 France Telecom France 4.3%

3 Proxad France 3.4%

4 Telecom Italia Italy 2.6%

5 Deutsche Telekom AG Germany 2.2%

6 Cableuropa - ONO Spain 2.2%

7 Telemar Norte Leste S.A. Brazil 1.8%

8 Wanadoo France France 1.7%

9 Telefonica de Espana SAU Spain 1.7%

10 TELECOMUNICACOES DE SAO PAULO S.A.Brazil 1.7%

Zombie Population

by Country

Zombie Population by

Network

Top 10: 28% of spam

Top 25: 50% of spam

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

• Pharma Sites (9)My Canadian Pharmacy

International Legal RX

US Drugs

Super Viagra

Viagra Pro

Generic Viagra

Cialis Soft Tabs

Viagra Soft Tabs

Maxaman

Other Sites (6)Virility Patch

Super HGH (flash)

SpermaMax

My Replica Rolex

Exclusive Caviar Online

Double Your Dating

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

1592 Wilson Avenue

Toronto, ON M3L 1A6

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

18 more fraudulent elements including

Fake Certificate

"All orders are received via a secure server” - No HTTPS

Fake Verisign Logo

Fake BBB Logo

Fake Pharmacy Checker Rating

Fake Canadian International Pharmacy (CIPA) License Number

Fake “Verified by Visa” Logo

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

DNSstuff.comMastercardLatin American and Caribbean IP address Regional Registry New World Network University of CA San DiegoCompass Communications, Inc. Korax Online Inc. Verizon Internet Services Inc. IronPort Systems, Inc. SuperNewsThe Internet Channel MOREnetCrystalTech Web Hosting Inc. HickoryTech Corporation AT&T WorldNet Services

VISA INTERNATIONAL

Level 3 Communications, Inc.

US Dept of Justice

NTT America, Inc.

FBI Criminal Justice Information Systems

FBI Academy

XO Communications

Pfizer Inc.

Level 3 Communications, Inc.

Savvis

American Digital Network

Drug Enforcement Administration (DEA)

Health and Human Services (FDA)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

1. Registered domain bigamousetract.info

Registered with 1-877namebid.com

Registered by Tobyann Ellis in Longview, WA

+68 phone number

dublin.com email

2. DNS servers

„NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil

„A‟ Record for web server points to Korean Telecom IP

3. Web server

bigamousetract.info server on Korean Telecom network

Web site images from Brazil, Slovenia, France, Greece, Netherlands

Spammers obfuscate web site connection using redirectors, framing, scripting, zombie proxies

4. Using “Fast Flux”

IP addresses for web and DNS servers changing every five minutes

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Sorry, but we can‟t process your credit card right

now. Sales manager will contact you in 24 hours.

If you don‟t want to wait for sales manager, you

may try to make a purchase using another credit

card. Thank you!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

• Messages from hosting company Intercage.com

• Intercage located at:

1955 Monument, #236

Concord, CA, USA

• Long history of spam and malware support

250 domains hosting “CoolWebSearch” Exploits

WMF exploit hosting

Phishing support

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Server

located in

San Jose, CA

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

“Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs,

pharmaceutical or Controlled substances found.”

Note: Subsequent orders were shipped from Shanghai China and

contained the active ingredient. We believe the manufacturer was

replaced.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

• Investigated credit card merchant account

Unable to obtain any details

$84.95 refunded to my credit card

• Second order placed

Received 10 Pfizer-branded pills from Shanghai, China

New shipping and packing method

Contained full active ingredient

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

• Estimated at $150M/year

• Monitored “Zombie Proxy” and counted number of credit card transactions per hour

• Comparables - Christopher Smith (rizler) profits > $20M

• Confirmed with law enforcement and SpamHaus

Cisco Confidential 36© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37

Spam Engines

(SMTP)

Landing pages

(HTTP)

3.School5. Super

Node

4. Job: Spamming

2. Storm is Born

1. Recruitment Spam

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

• Storm has sent a number of spam campaigns including

Phishing financial institutions

Mule Recruitment Spam

Pump and Dump stock market manipulation image spam

Pump and Dump stock market manipulation MP3 audio spam

Pharma spam for Canadian Pharmacy

• The vast majority of Storm spam has been for Canadian Pharmacy

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

• Many theories about the relationship between storm and pharma spam

• A capacity issue unveiled the primary relationship

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

• Spamit.com service manages spam domains and fulfillment

Registers spamvertized domain, creates DNS records, NS servers, websites

Botnet owners using Spamit service receive feed of live spam sites

• The Storm botnet retrieved a list of domains but received

• Storm used this string and other website boilerplate in the spam

• Proven link between Storm, SpamIt.com and Canadian Pharmacy

“The system is temporary busy, try to access it later.

No data can be lost.”

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

Documentation excerpt for configuring web sites

“We take care of their entire shopping experience:

fulfillment, customer service, and shipping, and we

track the sales generated from your site.”

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

From Joe Stewart, SecureWorks

Source: Joe Stewart, Secure Works

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

• Modeled after distributed computing.

• Spam as a Service.

• Web user interface made bot spamming accessible to anyone.

• Responsible for 50-60% of global spam.

• McColo black-hat data centre in San Jose office building.

• Strong ties to SpamIt.com.

• Disconnected by upstream network service providers.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

Cisco Confidential 49© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

0

50

100

150

200

250

300

350

400

Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

• The botnet formerly known as Storm.

• Notorious SpamIt.comaffiliate.

• Taken down with legal and technical measures.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

• Database leaked to law enforcement, industry.

• Ceased operations on October 1, 2010.

• Russian police press charges against owner, Gusev.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53

• Ceased spamming between September 20 and 23.

• Shutdown coincided with SpamIt.com shutdown notice.

• Cisco SIO observed a spike in IPS events after shutdown.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54

• Operated by Georg Avanesov.

• Arrested in Armenia in October 2010.

• Alleged SpamIt.com affiliate and botnet reseller.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

• Operated by Oleg Nikolaenko.

• Alleged SpamIt and SanCashaffiliate.

• Arrested in Las Vegas on November 4, 2010.

• Charged with felony CAN-SPAM violations and mail fraud.

• Pled “Not Guilty” and held without bail.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56

Source: IronPort‟s Spam Collection and SenderBase.org

0

50

100

150

200

250

300

350

Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06

All Spam Pharma

Cisco Confidential 57© 2010 Cisco and/or its affiliates. All rights reserved.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58

• 2 pharma affiliates remain.

• Grum and Lethic

Last two major botnets sending pharma and replica spam.

• Cutwail

Focused on social engineering-based viral attacks.

Targets enterprise users, finance departments in particular.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59

• High-volume spam will soon end.

• Delivered spam volumes will not change.

• Botnets monetized in more subtle ways.

• Fake anti-virus software.

• Rockphish/Avalanche gang gave up phishing for Zeus.

• Email attacks are becoming more targeted.

• More small-scale attacks aimed at high-value targets.

Thank you.