Feeds

Ruskie gang hijacks Microsoft network to push penis pills

Redmond abused as scammers' IP bitch

Choosing a cloud hosting partner with confidence

For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates.

The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.

The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.

The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware.

“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”

Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that's deliberately hosting the name servers so that researchers can secretly monitor the gang's operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.

A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.

California-based Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he's convinced the results mean that Microsoft has faced some sort of system compromise.

“I'm a paranoid kind of person,” he said. “There's no other immediately apparent, reasonably plausible explanation for the facts that I'm looking at.”

Another researcher who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn't fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.

Canadian Health&Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy, and Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners' knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts.

The benefits of running the website and DNS servers on infected machines are manifold. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists, Armin said.

“This is pretty cool stuff,” he told The Register. “They are getting around any anti-botnet & spam blacklisting, and as usual [it's] remarkably simple and cheap for them to do.”

Over the past few weeks, Guilmette said, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal outfit. The University of Houston, the government of India, and City University of New York are just three of the names on the list. They have since corrected the problems, so the DNS servers are no longer hitching a free ride on their systems, the researcher said.

In the past year, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft's network to help operate the illegal pharmacy. Company researchers were instrumental in founding the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down.

The company recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.

The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn't lost on Baylor University's Vaughn.

“I almost guarantee that there's somebody up there at Microsoft, probably more than one, that are trying their darnedest to get rid of the Canadian pharmacy group,” he said. “It would be nice if they had that IP information available.” ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.