RAEC Press Release: Exposing the largest spammer in the world

This is a re-posting of a press release posted to the official RAEC website on Oct. 29th, 2010.

RAEC is the "Russian Association of Electronic Communication" who are tasked with investigating Russia-based online criminal activities.

Exposing the largest spammer in the world - the beginning of a real fight against cybercrime in Russia
29.10.2010

November 2 at 14:00 Interfax RAEC (Commission on Cybercrime) holds a press conference with representatives of the investigating authorities, relevant law enforcement agencies and the Internet industry participants.

Recall that as a result of search operations by Russian police was disclosed to the world's biggest criminal network, which specialized in distribution of pharmacological spam. According to the results of operational activities have been prosecuted at the head of a partner network Glavmed Gusev Igor Anatolyevich.

"It's a spammer Gusev" has received wide publicity, not only in Russia but throughout the world and has been reflected in major world media, including: The Washington Post, Gizmodo Australia, BBC, MSNBC, The Register, The New York Times, Bild, Telegraph, PC World, ABC.es, Los Mas Hablados, Bild.de, O Globo, France 24, iHNed.cz, ThaiIndian, Softpedia, MSN India, Gizmodo Australia, The New York Observer, Infosecurity Magazine, Le Monde, DailyFinance, The Inquirer, Bloomberg, Reuters and others

The authors of publications have expressed similar viewpoints on a sensational disclosure:

The correspondent of The New York Times, Andrew Kramer (Andrew Kramer) binds enhancing law enforcement actions against Gusev initiatives the president of Russia Dmitry Medvedev : "In summer 2010, the President visited Silicon Valley in California and during his visit repeatedly stated that Russia intends to legitimize its own Internet space, to fight against piracy, hackers and other manifestations of shady business in the network."

Similar position adheres Helen Popkin (Helen AS Popkin) from MSNBC: «In June, Dmitri Medvedev was in California, where he met with the organizers of Silicon Valley. Site SpamIt.com mysteriously closed for two weeks before October 10 in Moscow from Silicon Valley came the response, the delegation headed by the Governor of California Arnold Schwarzenegger."

"It Gusev said that Russian authorities are determined to fight the status quo. And although the spamming under Russian law is not a crime, it can be classified as illegal entrepreneurship" - told the press Pavel Zaitsev, a member of the public organization" National Anti-Corruption Committee.

Gusev - this is only the first target. At the disposal of the investigation was an impressive list of Russian spammers, as well as a list of all the illegal purchase of counterfeit "Viagra" and other drugs by U.S. citizens since 2006. ?. All participants in such illegal activities would be exposed.

"Commission on Cyber Crime RAEC over a year now waging a campaign to fight spam, and we are pleased to present the first, but the significant results of this work. Thanks to the efforts of our experts and law enforcement agencies the world's spam level dropped by almost half, "- said the deputy director of RAEC Sergei Grebennikov.

About a year ago RAEC stepped up its activities aimed at improving Russia's investment climate abroad, to offer a program to combat spam. The program included a series of measures, one of which - a series of pinpoint strikes on partner programs, including those mentioned in the "GlavMed" network, which has the maximum share of the market and is largely due to a negative attitude towards Russia as a source of spam.

Commission RAEC against cybercrime invites all interested journalists for a press conference, enlightenment this issue, which will bring together industry experts, representatives of the investigating authorities and the relevant law enforcement agencies.

A detailed list of the press conference will be presented on Monday.

Information on press conferences:
Venue: Interfax, Moscow, st. Tverskaya-Yamskaya 1-I, 2, p. 1
Conference dates: November 2 (Tuesday) from 14:00 to 16:00

Contact information:
pr@raec.ru , +7 926 654 24 26, +7 495 950 56551
Lihopersky Ivan

Any findings from this press conference will be collated and posted here. Stay tuned.

SiL

Spamit.com: Closing down?

[Note: This is a duplicate posting from my original I Kill Spammers blog. I'm placing a copy here to maintain archival information in the same place.]

After a tip from a few different sources, I was informed that the Spamit.com domain is now showing the following message:

Уважаемые партнеры и коллеги,

В связи с длинной чередой негативных событий последнего года и обострившимся вниманием к деятельности нашей партнерской программы, мы приняли решение свернуть свою деятельность и прекратить прием трафика с 1 октября 2010 года.

Мы считаем, что в создавшейся ситуации такое решение является наиболее правильным, т.к. оно позволяет полностью избежать рисков внезапной, незапланированной остановки, которая обязательно повлекла бы за собой коллапс всей деятельности нашей программы и, скорее всего, привела бы к невыплате заработанных вами средств. В нашем же случае, все заработанные средства будут выплачены в обычном режиме. Кидков не будет.

Пожалуйста, используйте оставшееся время для своевременного перевода трафика на другие партнерские программы.

Спасибо что работали с нами, мы очень ценим ваше доверие!


Dear partners and colleagues!

Because of the numerous negative events happened last year and the risen attention to our affiliate program we’ve decided to stop accepting the traffic from 1.10.2010. We find the decision the most appropriate in this situation. It provides avoiding the sudden work stop which leads to the program collapse and not paying your profit.

In our case the whole profit will be paid normally. All possible frauds are excluded. Please transfer your traffic to other affiliate programs till 1.10.2010.

Thank you for your cooperation! We appreciate your trust very much!
login

Here's a screenshot of Spamit.com from around an hour ago:

This was the output on Spamit.biz and Spamit.com. Now I and many others notice that spamit.com no longer resolves as a domain. Spamit.ru is also down but I don't know if that had been the case prior to today.

Note that no such notice appears anywhere on Glavmed.com, long known to be their sister company.

The #1 criminally-operated spam operation in the world is suddenly shutting down? (Albeit, possibly temporarily. I'll check back on Oct. 1st of course.)

The "numerous negative events" possibly refers to the loss of Mastercard processing which happened several months ago, and "the risen attention to our affiliate program" possibly means coverage from this blog but also several other media outlets, most notably a large amount of coverage in the Russian press.

If Spamit as an affiliate operation were in any way operating legally or legitimately, this media coverage would not be a cause to shut down. This only goes to show you what a scumbag, criminal operation Spamit and Glavmed have always been.

The fact that spamit domains specifically are shutting down the same day a few sources told me to check this page out indicates some Very Bad Things could be underway for the operators of Spamit.

This could be a very interesting few weeks.

SiL

March 2010 Spamit / Canadian Pharmacy Update

As many of you may be aware, many more media outlets and independent security researchers have also begun identifying Spamit and Glavmed as a source of not only a ridiculous amount of illegal pharmacy spam, but also a broad swath of criminal abuse of third-party servers, and a key recipient of promotion via not one but a variety of criminally-operated botnets.

My updates to this blog have been sporadic simply because I am in evidence-gathering mode. Fortunately, my blog is not the only one keeping an eye on this group of criminals.

Here's a roundup of the past several months of publicly disclosed evidence which refer directly to "Canadian Pharmacy", Spamit and Glavmed.

M86 Security Labs: SpamIt.com leaves its footprints [Feb. 22, 2010]

SpamIt.com is a secretive, invitation-only, group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called "Canadian Pharmacy". Recently, Canadian Pharmacy has been the dominant spammed program – by far. Our analysis from a few months ago found that links to Canadian Pharmacy sites comprised 60-70% of all spam, and is simultaneously spammed by most of the major spamming botnets.

Key allegations:

• Spamit is by far the most predominant spamming affiliate group.
• Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
• Xarvester, in this case, is the botnet found to be associated with Spamit's criminal activity.

Cisco / Ironport: Hello Waledac, My Old Friend [June 23, 2009]

Storm was reborn as Waledac in December 2008. While Waledac hadn't advanced much technically — same P2P, same Canadian Pharmacy/Glavmed connection with template-based spamming, same social engineering tricks to spread the malware via email — the Waledac business development team had been busy expanding their partnerships beyond Glavmed to include Yambo Financials, Conficker and Rogue Antivirus.

[Note: Any reference to "Yambo Financials" should probably be construed as a reference to Bulker.biz / Bulkerbiz.com, operators of - among many others - "My Canadian Pharmacy", another completely criminal-operated fake online pharmacy. They hijack unix servers and use them for a variety of services. This has been well documented since 2006.]

Key allegations:

• Spamit / Glavmed have been seen sending spam via first Storm Worm, then Waledac.
• Obviously these botnets are used to spam more than merely Spamit properties, since they can be leased out to any mailer who will pay.
• Waledac, in this case, is the botnet found to be associated with Spamit's criminal activity.

The Register: Penis pill spam: The hard figures [Sep. 25, 2009]

"The members of SpamIt are allegedly the group behind the Storm, Waledec and potentially Conficker botnets, responsible for email distribution and fast-flux hosting of the spam websites."

Although GlavMed is the biggest operator in the unlicensed prescription drug affiliate business many other players exist including Stimul-cash.com, Rx-partners, Rxcash.biz, Evapharmacy, Rx-Signup.com and DrugRevenue. Most concentrate exclusively on web promotion methods, while a minority unofficially support traffic generated through spam emails.

Key allegations:

• Spamit is by far the most predominant spamming affiliate group.
• Canadian Pharmacy spam is the most commonly-discovered output of most botnets engaged in criminal spamming.
• There is a relationship between the use of botnets for spamming Spamit / Glavmed properties, and the promotion and infection of third-party websites to serve out rogue or fake anti-malware software, which in turn infects users' PC's for the purposes of joining botnets used to spam on behalf of Spamit / Glavmed.
• Storm, Waledac and Conficker are the botnets found to be associated with Spamit's criminal activity.

A very interesting comment was also posted in response to a blog posting regarding Conficker / Downadup:

Trend Micro Countermeasures Blog: Downad/Conficker, who’s the April Fool? [Mar. 25, 2009]

The comment is dated Jan. 8, 2010:

bodo unger said:

Friday, 8. January 2010 um 3:17 am

The writer of the conficker virus is Mario Fiege a German in the Philippines. he is working with glavmed.com.stimul-cash.com , rx-promotion.com , spamit.com. He is pretending to be a russian in the internet while hacking domains,,hijacking forums and sending millions of email spam out of malware ghettos like asian.
He is using proxyway.com

Key allegations:

• Someone named "Mario Fiege" wrote Conficker (Microsoft: Are you listening?)
• He personally uses Conficker to spam on behalf of a variety of well-known criminal pharmacy operations, among them Spamit / Glavmed
• This commenter distinguishes between Spamit and Glavmed, making it clear that this person spammed individually on behalf of each. (That could be a misinterpretation. I will continue to believe that they are one and the same.)

Obviously I would be interested to know who "bodo unger" is. He seems to know a great deal about this setup.

There have been others, but the push continues to awaken more mainstream news outlets about this very serious risk to the public's computers.

Resulting Assumptions / Conclusions:

So far the botnets identified as being used to send spam on behalf of Spamit, predominantly sending spam promoting the illegal online pharmacy known as "Canadian Pharmacy" are:

• Rustock
• Waledac aka Pushdo aka Cutwail
• Conficker
• Mega-D / Ozdok
• Xarvester

I'd also like to make a vast clarification regarding botnets and their use in the spamming economy.

Botnets are constantly in operation. Their owners set them up, and make sure there are enough infected hosts to become a part of the botnet for whatever purpose the botnet software was built to fulfill.

A botnet of any sort can be leased for a set period of time, much in the same way that any individual can rent a car (provided they have a license and insurance), any criminal individual can lease time on a botnet (provided they have decent references).
Once that individual has leased the botnet, depending on the price he paid, he can use it for a variety of operations including spamming (low cost), fast-flux hosting (mid-level cost) or Distributed Denial Of Service (DDOS) attacks (highest cost / shortest availability.)

Just because one individual sends spam promoting a Spamit property like "Canadian Pharmacy" using Xarvester does not mean that Xarvester, as a botnet, was created to spam on behalf of Spamit. A day later, it could be used to spam some otherwise unrelated porn site. Many tech media outlets make the mistake of correlating all activity of a single botnet to one rogue affiliate group. Spamit is definitely a "bad actor", and whoever wrote Xarvester and created that botnet did not have "good intentions", but those two details do not mean that Spamit is also a porn spamming operation. (At least: not yet.)

It is best to perceive each entity involved in every portion of these operations as being completely distinct and separate.

I felt this was especially important to mention given the very bright light which has recently been turned towards all manner of botnet-related activity.

Thank you for reading.

SiL / IKS / concerned citizen

Other Researchers: Spamit + Glavmed Still The #1 Affiliate Program for Criminal Spammers

In late September a very clear, concise and damning report was released and presented at the 2009 Virus Bulletin Conference in Geneva, Switzerland. You can download a copy, and I strongly recommend you do. It explains not only how Spamit / Glavmed work, but also speaks to the prominent place email spamming holds in Russian culture. Note that the author chose to use the name "Glavmed" since it was the public-facing name and was easily found.

Since that time, M86, a very well-known internet security company, has written a followup report [available here] which makes it clear not only based on that report but also on M86's own statistical analysis of ongoing spam trends, that Glavmed / Spamit and their by-now extremely well known "Canadian Pharmacy" brand are easily the #1 affiliate group for criminal spammers, occupying 60-70% of all spam sent anywhere in the world today.

M86 also draws connections between spam promoting Glavmed / Spamit products and virtually every single known botnet presently operating.

Prior to this, in July 2009, at a Cisco event in Thailand [details here] a report was presented by Navneet Singh, a Product Manager for Ironport, entitled "HTTP, Browsers And Web 2.0 -- A Criminal's Dream" [pdf], in which Spamit's name specifically can be related to:

• Glavmed (and this is important, since Glavmed repeatedly deny any connection whatsoever.)
• SQL injection attacks against public web servers for the purposes of redirecting to "Canadian Pharmacy" websites
• Connections between Storm Worm infections and the spamming of "Canadian Pharmacy" websites
• Yet another assertion that "Canadian Pharmacy" represents the majority of criminal spam in the world today.

They also offer some insight into how both Spamit and Glavmed's affiliate programs work, and how much money can be made as an affiliate of either group.

These reports are some of the most meticulously compiled evidence so far regarding Spamit and Glavmed, and especially damning since one of them now makes a very clear case that they are the same organization.

More and more security operations are starting to pay more attention to this story, which may indicate that more pressure will eventually be brought to bear against this group.

As I come across further evidence I will of course post it here.

SiL / IKS / concerned citizen

Spamit and the Russian Business Network

Over the years I have been researching Spamit, I have read numerous reports, many by highly competent researchers, which implicate a group known as the Russian Business Network with many of the spamming activities associated with Spamit. Typically the mention of Canadian Pharmacy spamming activity is sort of a postscript, not the main focus, since these reports instead try to establish their complicity with server hijacks and the operation of one or more botnets for a variety of purposes, among them the illegal spamming on behalf of Canadian Pharmacy / Spamit.

A seperate independent researcher, whose focus is botnets and their use by criminal groups, has drawn some interesting conclusions between the activities of certain botnets, their network setup, command and control, and who may be responsible for this activity. He runs a blog known as "RBNExploit" whose research is specifically focused on the RBN and its criminal activity. Unsurprisingly, Canadian Pharmacy makes an appearance in his research.

Here is the report this investigator posted to his blog back in August 2008:

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

In this particular posting, he makes specific reference to a Mr. Andrej Smirnov, who I have referenced previously in my other blog devoted to reporting on ongoing criminal spam activity. Since writing that posting (in February 2009,) Mr. Smirnov commented on my blog and also contacted me directly, wishing to distance himself and his affiliate program known as "Glavmed" from the operations of Spamit.

Smirvnov still insists that these are distinct groups, and that Glavmed is "perfectly legitimate", selling "real drugs, the same as the ones you buy from Pfizer" to consumers who genuinely need them. I am not going to comment on Mr. Smirnov, but suffice to say they have no pharmacists on staff, they never ask for any patient information, and they in fact are in violation of numerous FDA restrictions, since the drugs they sell are manufactured in India, and then exported to the US.

This RBN blogger specifically was reporting on the attacks which were occurring at that time against websites and network infrastructure within Georgia. He claimed that both Smirnov and a Mr. Alexandr A. Boykov of Saint Petersburg, Russia were among the "first strike" attackers of that infrastructure. He provides evidence derived from analysis of attack traffic at the time, and also references further researchers.

A couple of quotations:

Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

Another very well-known cyber security researcher who runs the spam blog "Silent Noise" has also discovered a relationship between the RBN and Canadian Pharmacy:

From Canadian Pharmacy to scareware to RBN?

He receives a spam message which (as previously mentioned) points to a hijacked web server for the purposes of redirection to a Canadian Pharmacy website:

The file atop.html is only redirecting to another Canadian Pharmacy site, peacefulhard.com.

He does some further digging on that server:

Some of the code found in several of the files were a bit more interesting, like this one:

h||p://91.203.93. 49/cgi-bin/index.cgi?user3

That is UATELECOM/ZHITOMIR-NET and it timed out for me.
But searching for that IP showed some hits, like this one from malwaredomainlist.com, from October 2008:

malwarefront. info/cgi-bin/index.cgi?user1    91.203.93.49    -    Exploits    malwarefront@hotmail.com

Which means that last October a domain called malwarefront.info was living at that IP.
So I had a walk over there, now malwarefront. info lives at 91.211.64.180, Ural-NET/Ural Industrial Limited Company.

This is a well known range of fake "Anti Malware" software.

One further supporting story, based on research performed by IronPort in June 2008 in relation to Canadian Pharmacy:

IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain

IronPort(R) Systems, a leading provider of enterprise spam, virus and spyware protection, and now part of Cisco (NASDAQ: CSCO), today announced that recent research has identified a link between originators of malware, such as Storm, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting their websites.

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between thetechnology-focused botnet masters and the global supply chain organizationswas murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

That research in particular pinpointed the renowned "Storm worm" botnet as being used by someone from Canadian Pharmacy / Spamit.

It is important to note that any mention of which botnet was used for mailing is often a misleading topic, and the individuals behind these operations know this.

I will refer to an entry I made around a year or so ago on the SpamTrackers Wiki regarding the overall infrastructure of a typical pharmacy spam setup, based on many years of research:

Spammer Economy and Infrastructure

I think it's important to keep that particular article in mind whenever one discusses a criminal spam operation. They have purposely created a setup that is custom-built to throw any researcher off of the scent. Any individual mailer (spammer) can send mail on behalf of any affiliate group (i.e.: Spamit) to promote any website property they choose (i.e.: Canadian Pharmacy) and do so using whichever botnet they pay to lease time on (one of which can be the Storm botnet.)

That is unfortunately often mistaken to mean that Spamit = Storm worm. It may be true. It may not. We will possibly never know. But it's enough to know that their use of any botnet is not legal, and the sites they promote in this case are not legal, and that the Storm botnet is among the botnets in use by one or more of their mailers. This changes over time of course, because new mailers come and go, and their ability to afford the use of one or another botnet for any period of time will fluctuate.

I am not claiming any opinion on these other connections at this time, because there are too many individual operatives which might all be working for themselves, only a few of whom would directly be related to Canadian Pharmacy directly.

But if you do enough reading, and especially if you read the white papers released by these extremely professional researchers regarding malware, botnets and overall cyber security, you begin to see the same statements:

- Botnets
- Which are used to send spam
- Leading to hacked web servers
- Redirecting you to a Chinese-hosted site with fake contact information in their WHOIS record
- Presenting you a Canadian Pharmacy website.

You also see:

- Lots of other infection vectors associated with these hacked web servers for the purpose of trying to get your Windows PC to joine whichever of the botnets being used directly by Canadian Pharmacy operatives.

I welcome further detail from these researchers, because too many reports draw too many non-specific conclusions, and / or unknowingly cause confusion regarding which bad actors are actually involved.

I will post more as time allows. Right now just trying to build a bit of a sequential listing of their technical infrastructure, and how it parlays into their ongoing criminal activities.

SiL / IKS / concerned citizen

Further Reading:

• I Kill Spammers - Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA
• Spamhaus ROKSO Listing for RBN
• RBN Exploit Blog
• The Economist: A Walk On The Dark Side

SpamIt Criminal Evidence: An introduction.

Hello and welcome to my third blog documenting evidence specifically regarding Spamit.com / Spamit.ru / Spamit.biz, and of course their renowned properties:

• Canadian Pharmacy
  
• Canadian Healthcare
  

Here are some links to further reading regarding each of these items:

Spamtrackers Wiki: Spamit
Spamtrackers Wiki: Canadian Pharmacy

Canadian Healthcare was a relatively recent addition to their spammable properties, as such there needs to be a new entry for the Spamit version of this, since "Canadian Healthcare" was previously a SanCash or Affking property from 2007 through 2008.

Today's evidence, which I fully expect to keep amassing over the next weeks and months until the ISP's hosting these sites wake up and patch their apache installs, is a series of hacked public websites which Spamit operatives have chosen to hijack and use within their spam campaigns:

http://assistbc.co.nz/ntaqc.html
http://193.86.3.170/~lattner/k.html
http://przetwornice.cp5.win.pl/safemodifypils.html?oHNhw
http://www.zipzapnet.com.br/safemodifypils.html
http://abambae.com.br/safemodifypils.html

In each of those cases, an exploit has been run against each of those domains to allow the upload of one single HTML file which is then used in a widespread spamming campaign to promote the well-known Canadian Pharmacy website.

Here are where each of these are redirecting us, respectively:

http://qajtogap.cn/
http://guzjacix.cn/
http://railhill.com/
http://markvary.com/
http://aceamong.com/

Canadian Pharmacy is, of course, one great big lie. It is not Canadian, it's not hosted in Canada (sites are registered and hosted in China), the pills you buy from it are not from Canada (they're from India, made in a substandard and illicit factory) and the owners and operators are not from Canada (they're from Russia or Ukraine) nor do they reside or operate businesses within Canada.

Each of those domains is hosted on what is known as a "fast flux" botnet platform. Each of the ip addresses the domains resolve to are known to be infected with some form of trojan which allows the sites to be hosted whether the computer owner is aware of this or not.

For each of the ".cn" domains, there is no contact information posted within the WHOIS record. This is a violation of ICANN registrar regulations regarding the appropriate registration of any domain name.

For each of the ".com" addresses, there is contact information, however it is provably fake. This is a further violation of ICANN registrar regulations regarding the appropriate registration of any domain name.

This posting's evidence:

1) Hacking of computers they do not own, and never have owned.
2) Lying throughout their sites
3) Selling dangerous pairings of pharmaceuticals which can have severe health effects for consumers.
4) Using maliciously infected home users' computers to provide them with "free" hosting for each of their domains.
5) Each of their domains are registered either using no contact information, or using fake contact information.

Each of these on their own are a serious offense. All of them together is willful misconduct and a serious danger to the public.

Don't buy products from these criminals. They are lying to you, and you are funding criminal activity.

Spamit must fall!

SiL / IKS / concerned citizen.