Over the years I have been researching Spamit, I have read numerous reports, many by highly competent researchers, which implicate a group known as the Russian Business Network with many of the spamming activities associated with Spamit. Typically the mention of Canadian Pharmacy spamming activity is sort of a postscript, not the main focus, since these reports instead try to establish their complicity with server hijacks and the operation of one or more botnets for a variety of purposes, among them the illegal spamming on behalf of Canadian Pharmacy / Spamit.
A seperate independent researcher, whose focus is botnets and their use by criminal groups, has drawn some interesting conclusions between the activities of certain botnets, their network setup, command and control, and who may be responsible for this activity. He runs a blog known as "RBNExploit" whose research is specifically focused on the RBN and its criminal activity. Unsurprisingly, Canadian Pharmacy makes an appearance in his research.
Here is the report this investigator posted to his blog back in August 2008:
RBN - Georgia Cyberwarfare – Attribution & Spam Botnets
In this particular posting, he makes specific reference to a Mr. Andrej Smirnov, who I have referenced previously in my
other blog devoted to reporting on ongoing criminal spam activity. Since writing that posting (in February 2009,) Mr. Smirnov commented on my blog and also contacted me directly, wishing to distance himself and his affiliate program known as "Glavmed" from the operations of Spamit.
Smirvnov still insists that these are distinct groups, and that Glavmed is "perfectly legitimate", selling "real drugs, the same as the ones you buy from Pfizer" to consumers who genuinely need them. I am not going to comment on Mr. Smirnov, but suffice to say they have no pharmacists on staff, they never ask for any patient information, and they in fact are in violation of numerous FDA restrictions, since the drugs they sell are manufactured in India, and then exported to the US.
This RBN blogger specifically was reporting on the attacks which were occurring at that time against websites and network infrastructure within Georgia. He claimed that both Smirnov and a Mr. Alexandr A. Boykov of Saint Petersburg, Russia were among the "first strike" attackers of that infrastructure. He provides evidence derived from analysis of attack traffic at the time, and also references further researchers.
A couple of quotations:
Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).
Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.
Another very well-known cyber security researcher who runs the spam blog "Silent Noise" has also discovered a relationship between the RBN and Canadian Pharmacy:
From Canadian Pharmacy to scareware to RBN?
He receives a spam message which (as previously mentioned) points to a hijacked web server for the purposes of redirection to a Canadian Pharmacy website:
The file atop.html is only redirecting to another Canadian Pharmacy site, peacefulhard.com.
He does some further digging on that server:
Some of the code found in several of the files were a bit more interesting, like this one:
h||p://91.203.93. 49/cgi-bin/index.cgi?user3
That is UATELECOM/ZHITOMIR-NET and it timed out for me.
But searching for that IP showed some hits, like this one from malwaredomainlist.com, from October 2008:
malwarefront. info/cgi-bin/index.cgi?user1 91.203.93.49 - Exploits malwarefront@hotmail.com
Which means that last October a domain called malwarefront.info was living at that IP.
So I had a walk over there, now malwarefront. info lives at 91.211.64.180, Ural-NET/Ural Industrial Limited Company.
This is a well known range of fake "Anti Malware" software.
One further supporting story, based on research performed by IronPort in June 2008 in relation to Canadian Pharmacy:
IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain
IronPort(R) Systems, a leading provider of enterprise spam, virus and spyware protection, and now part of Cisco (NASDAQ: CSCO), today announced that recent research has identified a link between originators of malware, such as Storm, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting their websites.
"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between thetechnology-focused botnet masters and the global supply chain organizationswas murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."
That research in particular pinpointed the renowned "Storm worm" botnet as being used by someone from Canadian Pharmacy / Spamit.
It is important to note that any mention of which botnet was used for mailing is often a misleading topic, and the individuals behind these operations know this.
I will refer to an entry I made around a year or so ago on the SpamTrackers Wiki regarding the overall infrastructure of a typical pharmacy spam setup, based on many years of research:
Spammer Economy and Infrastructure
I think it's important to keep that particular article in mind whenever one discusses a criminal spam operation. They have purposely created a setup that is custom-built to throw any researcher off of the scent. Any individual mailer (spammer) can send mail on behalf of any affiliate group (i.e.: Spamit) to promote any website property they choose (i.e.: Canadian Pharmacy) and do so using whichever botnet they pay to lease time on (one of which can be the Storm botnet.)
That is unfortunately often mistaken to mean that Spamit = Storm worm. It may be true. It may not. We will possibly never know. But it's enough to know that their use of any botnet is not legal, and the sites they promote in this case are not legal, and that the Storm botnet is among the botnets in use by one or more of their mailers. This changes over time of course, because new mailers come and go, and their ability to afford the use of one or another botnet for any period of time will fluctuate.
I am not claiming any opinion on these other connections at this time, because there are too many individual operatives which might all be working for themselves, only a few of whom would directly be related to Canadian Pharmacy directly.
But if you do enough reading, and especially if you read the white papers released by these extremely professional researchers regarding malware, botnets and overall cyber security, you begin to see the same statements:
- Botnets
- Which are used to send spam
- Leading to hacked web servers
- Redirecting you to a Chinese-hosted site with fake contact information in their WHOIS record
- Presenting you a Canadian Pharmacy website.
You also see:
- Lots of other infection vectors associated with these hacked web servers for the purpose of trying to get your Windows PC to joine whichever of the botnets being used directly by Canadian Pharmacy operatives.
I welcome further detail from these researchers, because too many reports draw too many non-specific conclusions, and / or unknowingly cause confusion regarding which bad actors are actually involved.
I will post more as time allows. Right now just trying to build a bit of a sequential listing of their technical infrastructure, and how it parlays into their ongoing criminal activities.
SiL / IKS / concerned citizen
Further Reading:
I Kill Spammers - Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA
Spamhaus ROKSO Listing for RBN
RBN Exploit Blog
The Economist: A Walk On The Dark Side