Feeds

Ruskie gang hijacks Microsoft network to push penis pills

Redmond abused as scammers' IP bitch

Seven Steps to Software Security

For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates.

The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.

The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.

The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware.

“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”

Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that's deliberately hosting the name servers so that researchers can secretly monitor the gang's operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.

A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.

California-based Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he's convinced the results mean that Microsoft has faced some sort of system compromise.

“I'm a paranoid kind of person,” he said. “There's no other immediately apparent, reasonably plausible explanation for the facts that I'm looking at.”

Another researcher who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn't fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.

Canadian Health&Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy, and Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners' knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts.

The benefits of running the website and DNS servers on infected machines are manifold. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists, Armin said.

“This is pretty cool stuff,” he told The Register. “They are getting around any anti-botnet & spam blacklisting, and as usual [it's] remarkably simple and cheap for them to do.”

Over the past few weeks, Guilmette said, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal outfit. The University of Houston, the government of India, and City University of New York are just three of the names on the list. They have since corrected the problems, so the DNS servers are no longer hitching a free ride on their systems, the researcher said.

In the past year, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft's network to help operate the illegal pharmacy. Company researchers were instrumental in founding the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down.

The company recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.

The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn't lost on Baylor University's Vaughn.

“I almost guarantee that there's somebody up there at Microsoft, probably more than one, that are trying their darnedest to get rid of the Canadian pharmacy group,” he said. “It would be nice if they had that IP information available.” ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.