Wednesday, March 3, 2010

March 2010 Spamit / Canadian Pharmacy Update

As many of you may be aware, many more media outlets and independent security researchers have also begun identifying Spamit and Glavmed as a source of not only a ridiculous amount of illegal pharmacy spam, but also a broad swath of criminal abuse of third-party servers, and a key recipient of promotion via not one but a variety of criminally-operated botnets.

My updates to this blog have been sporadic simply because I am in evidence-gathering mode. Fortunately, my blog is not the only one keeping an eye on this group of criminals.

Here's a roundup of the past several months of publicly disclosed evidence which refer directly to "Canadian Pharmacy", Spamit and Glavmed.

M86 Security Labs: SpamIt.com leaves its footprints [Feb. 22, 2010]

SpamIt.com is a secretive, invitation-only, group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called "Canadian Pharmacy". Recently, Canadian Pharmacy has been the dominant spammed program – by far. Our analysis from a few months ago found that links to Canadian Pharmacy sites comprised 60-70% of all spam, and is simultaneously spammed by most of the major spamming botnets.

Key allegations:

  • Spamit is by far the most predominant spamming affiliate group.
  • Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
  • Xarvester, in this case, is the botnet found to be associated with Spamit's criminal activity.

Cisco / Ironport: Hello Waledac, My Old Friend [June 23, 2009]

Storm was reborn as Waledac in December 2008. While Waledac hadn't advanced much technically — same P2P, same Canadian Pharmacy/Glavmed connection with template-based spamming, same social engineering tricks to spread the malware via email — the Waledac business development team had been busy expanding their partnerships beyond Glavmed to include Yambo Financials, Conficker and Rogue Antivirus.

[Note: Any reference to "Yambo Financials" should probably be construed as a reference to Bulker.biz / Bulkerbiz.com, operators of - among many others - "My Canadian Pharmacy", another completely criminal-operated fake online pharmacy. They hijack unix servers and use them for a variety of services. This has been well documented since 2006.]

Key allegations:

  • Spamit / Glavmed have been seen sending spam via first Storm Worm, then Waledac.
  • Obviously these botnets are used to spam more than merely Spamit properties, since they can be leased out to any mailer who will pay.
  • Waledac, in this case, is the botnet found to be associated with Spamit's criminal activity.

The Register: Penis pill spam: The hard figures [Sep. 25, 2009]

"The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conficker botnets, responsible for email distribution and fast-flux hosting of the spam websites."

Although GlavMed is the biggest operator in the unlicensed prescription drug affiliate business many other players exist including Stimul-cash.com, Rx-partners, Rxcash.biz, Evapharmacy, Rx-Signup.com and DrugRevenue. Most concentrate exclusively on web promotion methods, while a minority unofficially support traffic generated through spam emails.

Key allegations:

  • Spamit is by far the most predominant spamming affiliate group.
  • Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
  • There is a relationship between the use of botnets for spamming Spamit / Glavmed properties, and the promotion and infection of third-party websites to serve out rogue or fake anti-malware software, which in turn infects users' PC's for the purposes of joining botnets used to spam on behalf of Spamit / Glavmed.
  • Storm, Waledac and Conficker are the botnets found to be associated with Spamit's criminal activity.

A very interesting comment was also posted in response to a blog posting regarding Conficker / Downadup:

Trend Micro Countermeasures Blog: Downad/Conficker, who’s the April Fool? [Mar. 25, 2009]

The comment is dated Jan. 8, 2010:

bodo unger said:

Friday, 8. January 2010 um 3:17 am

The writer of the conficker virus is Mario Fiege a German in the Philippines. he is working with glavmed.com.stimul-cash.com , rx-promotion.com , spamit.com. He is pretending to be a russian in the internet while hacking domains,,hijacking forums and sending millions of email spam out of malware ghettos like asian.
He is using proxyway.com

Key allegations:

  • Someone named "Mario Fiege" wrote Conficker (Microsoft: Are you listening?)
  • He personally uses Conficker to spam on behalf of a variety of well-known criminal pharmacy operations, among them Spamit / Glavmed
  • This commenter distinguishes between Spamit and Glavmed, making it clear that this person spammed individually on behalf of each. (That could be a misinterpretation. I will continue to believe that they are one and the same.)

Obviously I would be interested to know who "bodo unger" is. He seems to know a great deal about this setup.

There have been others, but the push continues to awaken more mainstream news outlets about this very serious risk to the public's computers.

Resulting Assumptions / Conclusions:

So far the botnets identified as being used to send spam on behalf of Spamit, predominantly sending spam promoting the illegal online pharmacy known as "Canadian Pharmacy" are:


I'd also like to make a vast clarification regarding botnets and their use in the spamming economy.

Botnets are constantly in operation. Their owners set them up, and make sure there are enough infected hosts to become a part of the botnet for whatever purpose the botnet software was built to fulfill.

A botnet of any sort can be leased for a set period of time, much in the same way that any individual can rent a car (provided they have a license and insurance), any criminal individual can lease time on a botnet (provided they have decent references).
Once that individual has leased the botnet, depending on the price he paid, he can use it for a variety of operations including spamming (low cost), fast-flux hosting (mid-level cost) or Distributed Denial Of Service (DDOS) attacks (highest cost / shortest availability.)

Just because one individual sends spam promoting a Spamit property like "Canadian Pharmacy" using Xarvester does not mean that Xarvester, as a botnet, was created to spam on behalf of Spamit. A day later, it could be used to spam some otherwise unrelated porn site. Many tech media outlets make the mistake of correlating all activity of a single botnet to one rogue affiliate group. Spamit is definitely a "bad actor", and whoever wrote Xarvester and created that botnet did not have "good intentions", but those two details do not mean that Spamit is also a porn spamming operation. (At least: not yet.)

It is best to perceive each entity involved in every portion of these operations as being completely distinct and separate.

I felt this was especially important to mention given the very bright light which has recently been turned towards all manner of botnet-related activity.

Thank you for reading.

SiL / IKS / concerned citizen
Posted by at

3 comments:

  1. UnknownApril 24, 2010 at 2:09 AM

    SiL, I'd be happy to provide You with:

    -full info and bio on who runs Spamit/Glavmed. Bio's, names, adresses, company names,phone numbers, etc, translations on all info published on that group in Russia by Russian newspapers (dozens and dozens of publications),info how every affiliate member has been cheated in Spamit/Glavmed and much more of what can not be said here before You get it.

    All Your questions will be answered.

    Drop me an email please at:
    despduck@gmail.com

    ReplyDelete
  2. JJune 17, 2010 at 8:20 AM

    How hard exactly is it to crack these guys down? I get dozens in the middle of the day, just a single link, pointing towards toppillsarea.com...

    ReplyDelete
  3. IKillSpammerzJune 17, 2010 at 9:35 AM

    @nomical said:

    > How hard exactly is it to crack these guys down? I get
    > dozens in the middle of the day, just a single link,
    > pointing towards toppillsarea.com...

    How hard? Pretty hard.

    Not one url they use in their spamming identifies any actual human being involved in this activity.

    Reporting the domains (which I do as do most of my colleagues) very often results in responses from Chinese, Russian and Ukranian domain regsitrars essentially saying they won't shut the domains down without a court order specifically and explicitly stating that these actual domains are illegal.

    Try reading this:

    Circle ID: When Registrars Look the Other Way, Drug-Dealers Get Paid

    Every pro, career spammer uses 100% false or stolen information to register thousands of domains per day. They have been doing this for nearly six years now. Reporting some of these - most specifically toppillsarea.com, currently registered with Beijing Innovative Linkage Technology Ltd. (aka: BILT) is in week #2 of the complaint process. This is the norm. They never expose who *actually* registered the domain, and they never stop that person from registering more domains.

    Same goes for hosting companies. toppillsarea.com is hosted in France by OVH, who unfortunately have recently become a favorite hosting company since they also deflect most abuse complaints relating to this operation.

    This is a rare domain, though. It uses one dedicated IP address. Most sites hosting a Canadian Pharmacy / Canadian Health Care site are hosted on Windows PC's used by people who have very lax security. They often use anywhere from 5 - 7 of these hijacked public PC's, and they've been doing that for st least four years now.

    You tell me: how difficult is it to track down the operators of this whole series of domains? I think it's pretty difficult. I'm not alone. That's why I publicize on this blog what I can dig up through research.

    SiL

    ReplyDelete

Subscribe to: Post Comments (Atom)