henry stern - turning point on war on spam - atlseccon2011
Post on 07-Feb-2017
22 Views
Preview:
TRANSCRIPT
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Spam after “My Canadian Pharmacy”Henry Stern, Senior Security Researcher
Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Source: SenderBase.org
0.0
50.0
100.0
150.0
200.0
250.0
300.0
350.0
400.0
450.0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Leading pharmaceutical affiliate program, SpamIt.com, shuts down abruptly. Rustock botnetsimultaneously ceases activity.
• “Al Capone”-style takedown by Russian police.
• Kommersant: Despmedianetted $120m since 2007. Owner, Gusev, received $2m in revenues.
The New York Times, “E-Mail
Spam Falls After Russian
Crackdown.” October 26, 2010.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Spammers
Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic
Deliver messages to massive address lists.
Purchase domain names and host landing pages.
• Affiliate Programs
GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz
Host back-end order processing systems.
Provide customer support.
Pay high commissions to spammers.
• Fulfillment
Based in India and China.
Mail fake or generic pills to customers.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Bulker.biz - MyCanadianPharmacy
• This investigation begins with a massive spam attack for “MyCanadianPharmacy” and tracks the spam back through the pharma supply chain
GlavMed - Storm Botnet and SpamIt.com
This investigation begins with the Storm botnet and its “Canadian Pharmacy” spam and traces the botnet and spam back to GlavMed, the supply chain organization.
Bonus: Reactor Mailer Botnet
The largest capacity spam botnet ever.
Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
“Advertisement”
Call to Action URL Advertising
Pharmaceutical Web Site
“Hashbuster” text
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• 20 Billion Spam Attack in Two Weeks
1.5 billion messages per day
• Spam Trickery
2000 unique spam content mutations
New Content every 12 minutes
1500 unique domains used
New “Call to Action” domain every 15 minutes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Rank Network Owner CountryCount%
1 Telefonica de Espana Spain 6.7%
2 France Telecom France 4.3%
3 Proxad France 3.4%
4 Telecom Italia Italy 2.6%
5 Deutsche Telekom AG Germany 2.2%
6 Cableuropa - ONO Spain 2.2%
7 Telemar Norte Leste S.A. Brazil 1.8%
8 Wanadoo France France 1.7%
9 Telefonica de Espana SAU Spain 1.7%
10 TELECOMUNICACOES DE SAO PAULO S.A.Brazil 1.7%
Zombie Population
by Country
Zombie Population by
Network
Top 10: 28% of spam
Top 25: 50% of spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Pharma Sites (9)My Canadian Pharmacy
International Legal RX
US Drugs
Super Viagra
Viagra Pro
Generic Viagra
Cialis Soft Tabs
Viagra Soft Tabs
Maxaman
Other Sites (6)Virility Patch
Super HGH (flash)
SpermaMax
My Replica Rolex
Exclusive Caviar Online
Double Your Dating
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
1592 Wilson Avenue
Toronto, ON M3L 1A6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
18 more fraudulent elements including
Fake Certificate
"All orders are received via a secure server” - No HTTPS
Fake Verisign Logo
Fake BBB Logo
Fake Pharmacy Checker Rating
Fake Canadian International Pharmacy (CIPA) License Number
Fake “Verified by Visa” Logo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
DNSstuff.comMastercardLatin American and Caribbean IP address Regional Registry New World Network University of CA San DiegoCompass Communications, Inc. Korax Online Inc. Verizon Internet Services Inc. IronPort Systems, Inc. SuperNewsThe Internet Channel MOREnetCrystalTech Web Hosting Inc. HickoryTech Corporation AT&T WorldNet Services
VISA INTERNATIONAL
Level 3 Communications, Inc.
US Dept of Justice
NTT America, Inc.
FBI Criminal Justice Information Systems
FBI Academy
XO Communications
Pfizer Inc.
Level 3 Communications, Inc.
Savvis
American Digital Network
Drug Enforcement Administration (DEA)
Health and Human Services (FDA)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
1. Registered domain bigamousetract.info
Registered with 1-877namebid.com
Registered by Tobyann Ellis in Longview, WA
+68 phone number
dublin.com email
2. DNS servers
„NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil
„A‟ Record for web server points to Korean Telecom IP
3. Web server
bigamousetract.info server on Korean Telecom network
Web site images from Brazil, Slovenia, France, Greece, Netherlands
Spammers obfuscate web site connection using redirectors, framing, scripting, zombie proxies
4. Using “Fast Flux”
IP addresses for web and DNS servers changing every five minutes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Sorry, but we can‟t process your credit card right
now. Sales manager will contact you in 24 hours.
If you don‟t want to wait for sales manager, you
may try to make a purchase using another credit
card. Thank you!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Messages from hosting company Intercage.com
• Intercage located at:
1955 Monument, #236
Concord, CA, USA
• Long history of spam and malware support
250 domains hosting “CoolWebSearch” Exploits
WMF exploit hosting
Phishing support
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Server
located in
San Jose, CA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
“Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs,
pharmaceutical or Controlled substances found.”
Note: Subsequent orders were shipped from Shanghai China and
contained the active ingredient. We believe the manufacturer was
replaced.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Investigated credit card merchant account
Unable to obtain any details
$84.95 refunded to my credit card
• Second order placed
Received 10 Pfizer-branded pills from Shanghai, China
New shipping and packing method
Contained full active ingredient
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• Estimated at $150M/year
• Monitored “Zombie Proxy” and counted number of credit card transactions per hour
• Comparables - Christopher Smith (rizler) profits > $20M
• Confirmed with law enforcement and SpamHaus
Cisco Confidential 36© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 37
Spam Engines
(SMTP)
Landing pages
(HTTP)
3.School5. Super
Node
4. Job: Spamming
2. Storm is Born
1. Recruitment Spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• Storm has sent a number of spam campaigns including
Phishing financial institutions
Mule Recruitment Spam
Pump and Dump stock market manipulation image spam
Pump and Dump stock market manipulation MP3 audio spam
Pharma spam for Canadian Pharmacy
• The vast majority of Storm spam has been for Canadian Pharmacy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• Many theories about the relationship between storm and pharma spam
• A capacity issue unveiled the primary relationship
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• Spamit.com service manages spam domains and fulfillment
Registers spamvertized domain, creates DNS records, NS servers, websites
Botnet owners using Spamit service receive feed of live spam sites
• The Storm botnet retrieved a list of domains but received
• Storm used this string and other website boilerplate in the spam
• Proven link between Storm, SpamIt.com and Canadian Pharmacy
“The system is temporary busy, try to access it later.
No data can be lost.”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Documentation excerpt for configuring web sites
“We take care of their entire shopping experience:
fulfillment, customer service, and shipping, and we
track the sales generated from your site.”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
From Joe Stewart, SecureWorks
Source: Joe Stewart, Secure Works
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
• Modeled after distributed computing.
• Spam as a Service.
• Web user interface made bot spamming accessible to anyone.
• Responsible for 50-60% of global spam.
• McColo black-hat data centre in San Jose office building.
• Strong ties to SpamIt.com.
• Disconnected by upstream network service providers.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Cisco Confidential 49© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
0
50
100
150
200
250
300
350
400
Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
• The botnet formerly known as Storm.
• Notorious SpamIt.comaffiliate.
• Taken down with legal and technical measures.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
• Database leaked to law enforcement, industry.
• Ceased operations on October 1, 2010.
• Russian police press charges against owner, Gusev.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
• Ceased spamming between September 20 and 23.
• Shutdown coincided with SpamIt.com shutdown notice.
• Cisco SIO observed a spike in IPS events after shutdown.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
• Operated by Georg Avanesov.
• Arrested in Armenia in October 2010.
• Alleged SpamIt.com affiliate and botnet reseller.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
• Operated by Oleg Nikolaenko.
• Alleged SpamIt and SanCashaffiliate.
• Arrested in Las Vegas on November 4, 2010.
• Charged with felony CAN-SPAM violations and mail fraud.
• Pled “Not Guilty” and held without bail.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Source: IronPort‟s Spam Collection and SenderBase.org
0
50
100
150
200
250
300
350
Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06
All Spam Pharma
Cisco Confidential 57© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
• 2 pharma affiliates remain.
• Grum and Lethic
Last two major botnets sending pharma and replica spam.
• Cutwail
Focused on social engineering-based viral attacks.
Targets enterprise users, finance departments in particular.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
• High-volume spam will soon end.
• Delivered spam volumes will not change.
• Botnets monetized in more subtle ways.
• Fake anti-virus software.
• Rockphish/Avalanche gang gave up phishing for Zeus.
• Email attacks are becoming more targeted.
• More small-scale attacks aimed at high-value targets.
Thank you.
top related