Feeds

Ruskie gang hijacks Microsoft network to push penis pills

Redmond abused as scammers' IP bitch

3 Big data security analytics techniques

For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates.

The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.

The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.

The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware.

“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”

Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that's deliberately hosting the name servers so that researchers can secretly monitor the gang's operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.

A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.

California-based Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he's convinced the results mean that Microsoft has faced some sort of system compromise.

“I'm a paranoid kind of person,” he said. “There's no other immediately apparent, reasonably plausible explanation for the facts that I'm looking at.”

Another researcher who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn't fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.

Canadian Health&Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy, and Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners' knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts.

The benefits of running the website and DNS servers on infected machines are manifold. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists, Armin said.

“This is pretty cool stuff,” he told The Register. “They are getting around any anti-botnet & spam blacklisting, and as usual [it's] remarkably simple and cheap for them to do.”

Over the past few weeks, Guilmette said, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal outfit. The University of Houston, the government of India, and City University of New York are just three of the names on the list. They have since corrected the problems, so the DNS servers are no longer hitching a free ride on their systems, the researcher said.

In the past year, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft's network to help operate the illegal pharmacy. Company researchers were instrumental in founding the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down.

The company recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.

The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn't lost on Baylor University's Vaughn.

“I almost guarantee that there's somebody up there at Microsoft, probably more than one, that are trying their darnedest to get rid of the Canadian pharmacy group,” he said. “It would be nice if they had that IP information available.” ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.