Compromised PC causes Microsoft network to push email spam
October 26, 2010
Publicly accessible information indicates that since Sep. 24, Internet IP addresses belonging to Microsoft have been used to re-route email traffic to more than 1,000 fraudulent Web sites maintained by a notorious group of Russian criminals, and this isn't the first time that a similar incident is discovered.
The 1,025 unique websites, which include seizemed.com, yourrulers.com and crashcoursecomputing.com are all pushing Viagra, Human Growth Hormones and other pharmaceuticals products though the Canadian Health & Care Mall.
The spammers are using one of the two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers reveal. The authoritative name servers have been hosted on the Microsoft IP addresses since at least September 22nd, according to Ronald Guilmette, an Internet security researcher who first discovered the DNS hijacking.
Guilmette's findings were also checked with other Internet security experts who specialize in DNS and the take-down of criminal websites and botnets all over the world.
By closely examining the results used with an Internet lookup tool such as Dig, the security experts were able to determine that the IP 220.127.116.11 and 18.104.22.168 — which are both registered to Microsoft — are hosting dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the spam sites in question.
The experts say that the most likely explanation is that a computer on Microsoft's campus has been re-programmed to divert the DNNS, probably after it became infected with some malware. There's also a good possibility that it could have been done manually, by a person that has access to that computer, or by a group of people that have access to the machine.
A Microsoft spokeswoman added that she was investigating the findings and expected to provide a statement once the investigation was completed.
Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he's convinced the results mean that Microsoft has faced some sort of serious DNS system compromise.
“The most critical segment seems to be some sort of compromise that appears to be in play,” said Randal Vaughn, a professor of DNS and information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer computer or something else entirely. In order to get the DNS zones entered in there, they must have pawned the computer.”
Vaughn also held out the possibility that servers connected to the Microsoft IPs could have been part of a so-called "honey pot" that is deliberately hosting the name servers so that researchers can secretly monitor the hacker group's operations.
Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.
Vaughn said "I'm a bit of paranoid kind of person. There's no other immediately apparent, reasonably plausible explanation for the cold but hard facts that I'm looking at right now."
Another Internet security expert who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn't fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.
The Canadian Health & Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy and Yambo Financials, according to Spamtrackers.eu, a site that monitors online spammers and scam sites.
The operation, which researchers say also engages in child pornography, identity theft and rampant email spamming, specializes in maintaining Web sites and name servers that run on infected hosts without the owners' knowledge, the website says.
Members are known to infect Linux, Unix and Windows computers with custom-written binaries that act as proxy web hosts and rogue DNS servers.
Guilmette said that since 2007, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal group. The University of Houston, the government of India and City University of New York are just three of the names on the list.
But they have since corrected the issues so that the DNS servers are no longer hitching a free ride on their systems, the researcher said.
Since November 2009, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft's network to help operate the illegal pharmacy. Company researchers were instrumental in discovering the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down completely.
The benefits of running a website and DNS servers on infected computers are numerous. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists.
“They are getting around any anti-botnet & spam blacklisting, and as usual it's remarkably simple and cheap for them to do,” said Vaughn.
Microsoft recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.
The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn't lost on Baylor University's Vaughn.
"I almost guarantee that there's somebody up there at Microsoft, probably more than one, that are trying their best to get rid of the Canadian pharmacy group. It would be nice if they had that IP information available, added Vaughn."
You can link to the Internet Security web site as much as you like.