An organized cyber crime gang known for aggressively pushing male enhancement drugs and other knockoff pharmaceuticals used Internet addresses belonging to Microsoft as part of a massive denial-of-service attack against KrebsOnSecurity.com late last month.
The attack on my Web site happened on Sept. 23, roughly 24 hours after I published a story about a criminal online service that brazenly sold stolen credit card numbers for less than $2 each (see: I’ll Take Two MasterCards and a Visa, Please). That story got picked up by BoingBoing, Gizmodo, NPR and a variety of other sites, public attention that no doubt played a part in the near-immediate suspension of that criminal Web site.
At first, it wasn’t clear what was behind the attack, which at one point caused a flood of traffic averaging 2.3 gigabits of junk data per second (see graph above). Not long after the attack ended, I heard from Raymond Dijkxhoorn and Jeff Chan, co-founders of SURBL, which maintains a list of Web sites that have appeared in spam. Chan sent me a message saying he had tracked the attack back to several Internet addresses, including at least one that appeared to be located on Microsoft’s network — 126.96.36.199.
According to SURBL, the culprits were botnets under the thumb of “the usual Russian pill gangs”: Dozens of domains that resolve(d) to online pharmacy sites — including bridgetthefidget.com, crazygraze.com, firstgang.com, triplefixes.com and philsgangdirect.com — were using a compromised machine at that Microsoft address as a domain name server.
The attackers then told machines they controlled to access a number of non-existent pages at sites that were pointing to the Internet address my hosting provider has assigned to KrebsOnSecurity.com (188.8.131.52). This forced several hundred or thousand machines to direct their traffic at my site, all in an attempt to prevent legitimate visitors from visiting it.
For example, the attack packets included DNS for false requests such as:
mzkzalczdznzjzfbszvzazd.jumpgirlsaloud.nl A 184.108.40.206
sdfsdfsdfsdfsdffbszvzazd.youralveolarbone.nl A 220.127.116.11
zzncmzkzalczdznzjzfbszvzazd.cheapxenonbulbs.com A 18.104.22.168
zzncmzkzalczdznzjzfbszvzazd.expletivedirect.com A 22.214.171.124
I found the unusual method of attack interesting because it called attention to a significant amount of infrastructure used by the bad guys. For all I know, this may have been intentional, either to let me know who was responsible, or to make me think I knew who was responsible.
In any case, the attack took place in the early morning U.S. time, and by the time I’d woken up that day, my hosting provider, Dijkxhoorn’s Prolocation.net, had already dealt with the attack handily. Chan said SURBL had alerted Microsoft regarding the compromised IPs, and I filed the information away for a future blog post but for a variety of reasons forgot about it. Until Tuesday.
That’s when I read a story in The Register by tech reporter Dan Goodin, who wrote that for the past three weeks, Internet addresses belonging to Microsoft had been used to route traffic to more than 1,000 fraudulent pharmacy Web sites maintained by a notorious group of Russian criminals responsible for promoting Canadian Health&Care Mall pill sites. That story jogged my memory because it highlighted the very same Microsoft IP address that was implicated in the attack on my site.
Ronald F. Guilmette, the security researcher who shared that information with The Register, told KrebsOnSecurity that the pharmacy domains referenced in Goodin’s story appeared to be tied to an ICANN-accredited domain registrar in Turkey named Alantron. Although the pill site domain names that were associated with the Microsoft server are registered through a variety of non-Alantron registrars, all of them appear to use DNS servers tied to Alantron’s domain.
For example, bafereuti.com, lixduoxbe.com and others as of late Tuesday used yok15.alantron.com, and dozens of other pill sites associated with this gang use similar Alantron DNS entries, all the way up to yok87.alantron.com, yok88.alantron.com, and yok89.alantron.com. A complete list is available here.
Alantron did not respond to requests for comment. Again, the Alantron connection could be just willful misdirection on the part of the pill pushers. Still, the company has a history of abuse and neglect issues. In April, ICANN warned Alantron that it was in breach of its registrar accreditation agreement with ICANN because it failed to provide a WHOIS server to allow visitors to look up the ownership information of domains registered through its service. A copy of that ICANN order is available here (PDF).
Guilmette said that since The Register story ran, Microsoft appears to have addressed the compromised system on its network. Redmond did not respond to requests for comment about the compromised server; no doubt, most of their botnet experts are tied up at Microsoft’s Digital Crimes Consortium, an anti-botnet conference going on this week up in…well Canada, naturally.
In just one of the many ironies in this story, the compromised server inside of Microsoft appears to have been running Linux, not one of Microsoft’s server technologies. According to Guilmette, all of the hacked servers used by this pill gang are Unix or Linux servers. This mode of operation matches that of “Bulker.biz,” a rogue pharmacy affiliate program known for promoting rogue “Canadian Health&Care Mall” pill sites — as well as a number of other brands — by hijacking poorly-secured Linux and Unix servers.
Update, 7:34 p.m. ET: Christopher Budd, Microsoft’s response manager for trustworthy computing, sent this statement via email: “Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.”