Other Researchers: Spamit + Glavmed Still The #1 Affiliate Program for Criminal Spammers

In late September a very clear, concise and damning report was released and presented at the 2009 Virus Bulletin Conference in Geneva, Switzerland. You can download a copy, and I strongly recommend you do. It explains not only how Spamit / Glavmed work, but also speaks to the prominent place email spamming holds in Russian culture. Note that the author chose to use the name "Glavmed" since it was the public-facing name and was easily found.

Since that time, M86, a very well-known internet security company, has written a followup report [available here] which makes it clear not only based on that report but also on M86's own statistical analysis of ongoing spam trends, that Glavmed / Spamit and their by-now extremely well known "Canadian Pharmacy" brand are easily the #1 affiliate group for criminal spammers, occupying 60-70% of all spam sent anywhere in the world today.

M86 also draws connections between spam promoting Glavmed / Spamit products and virtually every single known botnet presently operating.

Prior to this, in July 2009, at a Cisco event in Thailand [details here] a report was presented by Navneet Singh, a Product Manager for Ironport, entitled "HTTP, Browsers And Web 2.0 -- A Criminal's Dream" [pdf], in which Spamit's name specifically can be related to:

• Glavmed (and this is important, since Glavmed repeatedly deny any connection whatsoever.)
• SQL injection attacks against public web servers for the purposes of redirecting to "Canadian Pharmacy" websites
• Connections between Storm Worm infections and the spamming of "Canadian Pharmacy" websites
• Yet another assertion that "Canadian Pharmacy" represents the majority of criminal spam in the world today.

They also offer some insight into how both Spamit and Glavmed's affiliate programs work, and how much money can be made as an affiliate of either group.

These reports are some of the most meticulously compiled evidence so far regarding Spamit and Glavmed, and especially damning since one of them now makes a very clear case that they are the same organization.

More and more security operations are starting to pay more attention to this story, which may indicate that more pressure will eventually be brought to bear against this group.

As I come across further evidence I will of course post it here.

SiL / IKS / concerned citizen

Spamit and the Russian Business Network

Over the years I have been researching Spamit, I have read numerous reports, many by highly competent researchers, which implicate a group known as the Russian Business Network with many of the spamming activities associated with Spamit. Typically the mention of Canadian Pharmacy spamming activity is sort of a postscript, not the main focus, since these reports instead try to establish their complicity with server hijacks and the operation of one or more botnets for a variety of purposes, among them the illegal spamming on behalf of Canadian Pharmacy / Spamit.

A seperate independent researcher, whose focus is botnets and their use by criminal groups, has drawn some interesting conclusions between the activities of certain botnets, their network setup, command and control, and who may be responsible for this activity. He runs a blog known as "RBNExploit" whose research is specifically focused on the RBN and its criminal activity. Unsurprisingly, Canadian Pharmacy makes an appearance in his research.

Here is the report this investigator posted to his blog back in August 2008:

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

In this particular posting, he makes specific reference to a Mr. Andrej Smirnov, who I have referenced previously in my other blog devoted to reporting on ongoing criminal spam activity. Since writing that posting (in February 2009,) Mr. Smirnov commented on my blog and also contacted me directly, wishing to distance himself and his affiliate program known as "Glavmed" from the operations of Spamit.

Smirvnov still insists that these are distinct groups, and that Glavmed is "perfectly legitimate", selling "real drugs, the same as the ones you buy from Pfizer" to consumers who genuinely need them. I am not going to comment on Mr. Smirnov, but suffice to say they have no pharmacists on staff, they never ask for any patient information, and they in fact are in violation of numerous FDA restrictions, since the drugs they sell are manufactured in India, and then exported to the US.

This RBN blogger specifically was reporting on the attacks which were occurring at that time against websites and network infrastructure within Georgia. He claimed that both Smirnov and a Mr. Alexandr A. Boykov of Saint Petersburg, Russia were among the "first strike" attackers of that infrastructure. He provides evidence derived from analysis of attack traffic at the time, and also references further researchers.

A couple of quotations:

Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

Another very well-known cyber security researcher who runs the spam blog "Silent Noise" has also discovered a relationship between the RBN and Canadian Pharmacy:

From Canadian Pharmacy to scareware to RBN?

He receives a spam message which (as previously mentioned) points to a hijacked web server for the purposes of redirection to a Canadian Pharmacy website:

The file atop.html is only redirecting to another Canadian Pharmacy site, peacefulhard.com.

He does some further digging on that server:

Some of the code found in several of the files were a bit more interesting, like this one:

h||p://91.203.93. 49/cgi-bin/index.cgi?user3

That is UATELECOM/ZHITOMIR-NET and it timed out for me.
But searching for that IP showed some hits, like this one from malwaredomainlist.com, from October 2008:

malwarefront. info/cgi-bin/index.cgi?user1    91.203.93.49    -    Exploits    malwarefront@hotmail.com

Which means that last October a domain called malwarefront.info was living at that IP.
So I had a walk over there, now malwarefront. info lives at 91.211.64.180, Ural-NET/Ural Industrial Limited Company.

This is a well known range of fake "Anti Malware" software.

One further supporting story, based on research performed by IronPort in June 2008 in relation to Canadian Pharmacy:

IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain

IronPort(R) Systems, a leading provider of enterprise spam, virus and spyware protection, and now part of Cisco (NASDAQ: CSCO), today announced that recent research has identified a link between originators of malware, such as Storm, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting their websites.

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between thetechnology-focused botnet masters and the global supply chain organizationswas murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

That research in particular pinpointed the renowned "Storm worm" botnet as being used by someone from Canadian Pharmacy / Spamit.

It is important to note that any mention of which botnet was used for mailing is often a misleading topic, and the individuals behind these operations know this.

I will refer to an entry I made around a year or so ago on the SpamTrackers Wiki regarding the overall infrastructure of a typical pharmacy spam setup, based on many years of research:

Spammer Economy and Infrastructure

I think it's important to keep that particular article in mind whenever one discusses a criminal spam operation. They have purposely created a setup that is custom-built to throw any researcher off of the scent. Any individual mailer (spammer) can send mail on behalf of any affiliate group (i.e.: Spamit) to promote any website property they choose (i.e.: Canadian Pharmacy) and do so using whichever botnet they pay to lease time on (one of which can be the Storm botnet.)

That is unfortunately often mistaken to mean that Spamit = Storm worm. It may be true. It may not. We will possibly never know. But it's enough to know that their use of any botnet is not legal, and the sites they promote in this case are not legal, and that the Storm botnet is among the botnets in use by one or more of their mailers. This changes over time of course, because new mailers come and go, and their ability to afford the use of one or another botnet for any period of time will fluctuate.

I am not claiming any opinion on these other connections at this time, because there are too many individual operatives which might all be working for themselves, only a few of whom would directly be related to Canadian Pharmacy directly.

But if you do enough reading, and especially if you read the white papers released by these extremely professional researchers regarding malware, botnets and overall cyber security, you begin to see the same statements:

- Botnets
- Which are used to send spam
- Leading to hacked web servers
- Redirecting you to a Chinese-hosted site with fake contact information in their WHOIS record
- Presenting you a Canadian Pharmacy website.

You also see:

- Lots of other infection vectors associated with these hacked web servers for the purpose of trying to get your Windows PC to joine whichever of the botnets being used directly by Canadian Pharmacy operatives.

I welcome further detail from these researchers, because too many reports draw too many non-specific conclusions, and / or unknowingly cause confusion regarding which bad actors are actually involved.

I will post more as time allows. Right now just trying to build a bit of a sequential listing of their technical infrastructure, and how it parlays into their ongoing criminal activities.

SiL / IKS / concerned citizen

Further Reading:

• I Kill Spammers - Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA
• Spamhaus ROKSO Listing for RBN
• RBN Exploit Blog
• The Economist: A Walk On The Dark Side

SpamIt Criminal Evidence: An introduction.

Hello and welcome to my third blog documenting evidence specifically regarding Spamit.com / Spamit.ru / Spamit.biz, and of course their renowned properties:

• Canadian Pharmacy
  
• Canadian Healthcare
  

Here are some links to further reading regarding each of these items:

Spamtrackers Wiki: Spamit
Spamtrackers Wiki: Canadian Pharmacy

Canadian Healthcare was a relatively recent addition to their spammable properties, as such there needs to be a new entry for the Spamit version of this, since "Canadian Healthcare" was previously a SanCash or Affking property from 2007 through 2008.

Today's evidence, which I fully expect to keep amassing over the next weeks and months until the ISP's hosting these sites wake up and patch their apache installs, is a series of hacked public websites which Spamit operatives have chosen to hijack and use within their spam campaigns:

http://assistbc.co.nz/ntaqc.html
http://193.86.3.170/~lattner/k.html
http://przetwornice.cp5.win.pl/safemodifypils.html?oHNhw
http://www.zipzapnet.com.br/safemodifypils.html
http://abambae.com.br/safemodifypils.html

In each of those cases, an exploit has been run against each of those domains to allow the upload of one single HTML file which is then used in a widespread spamming campaign to promote the well-known Canadian Pharmacy website.

Here are where each of these are redirecting us, respectively:

http://qajtogap.cn/
http://guzjacix.cn/
http://railhill.com/
http://markvary.com/
http://aceamong.com/

Canadian Pharmacy is, of course, one great big lie. It is not Canadian, it's not hosted in Canada (sites are registered and hosted in China), the pills you buy from it are not from Canada (they're from India, made in a substandard and illicit factory) and the owners and operators are not from Canada (they're from Russia or Ukraine) nor do they reside or operate businesses within Canada.

Each of those domains is hosted on what is known as a "fast flux" botnet platform. Each of the ip addresses the domains resolve to are known to be infected with some form of trojan which allows the sites to be hosted whether the computer owner is aware of this or not.

For each of the ".cn" domains, there is no contact information posted within the WHOIS record. This is a violation of ICANN registrar regulations regarding the appropriate registration of any domain name.

For each of the ".com" addresses, there is contact information, however it is provably fake. This is a further violation of ICANN registrar regulations regarding the appropriate registration of any domain name.

This posting's evidence:

1) Hacking of computers they do not own, and never have owned.
2) Lying throughout their sites
3) Selling dangerous pairings of pharmaceuticals which can have severe health effects for consumers.
4) Using maliciously infected home users' computers to provide them with "free" hosting for each of their domains.
5) Each of their domains are registered either using no contact information, or using fake contact information.

Each of these on their own are a serious offense. All of them together is willful misconduct and a serious danger to the public.

Don't buy products from these criminals. They are lying to you, and you are funding criminal activity.

Spamit must fall!

SiL / IKS / concerned citizen.