Darknet Diaries - 110: Spam Botnets
Episode Date: February 8, 2022This episode tells the stories of some of the worlds biggest spamming botnets. We’ll talk about the botnets Rustock, Waledac, and Cutwail. We’ll discover who was behind them, what their o...bjectives were, and what their fate was.SponsorsSupport for this show comes from Juniper Networks (hyperlink: juniper.net/darknet). Juniper Networks is dedicated to simplifying network operations and driving superior experiences for end users. Visit juniper.net/darknet to learn more about how Juniper Secure Edge can help you keep your remote workforce seamlessly secure wherever they are. Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Transcript
Discussion (0)
I grew up in the U.S., close to my grandma.
She was old and needed medicine, and often she'd buy her medicine in Mexico.
I have many fond memories of taking an all-day road trip to Mexico,
getting across the border, trying to find La Farmacia,
hoping we'd get the right medicine there,
figuring out a way to get it back over the border, and then driving home.
The thing is, here in the U.S., medicine is crazy expensive,
so making the trip down to Mexico for medicine
was worth it to us. My grandma was just someone looking for deals and trying to save money.
But this is a common story. I've heard from other people in the U.S. too. Yeah, it's often illegal
to do this because the U.S. doesn't want people importing drugs that aren't FDA approved. But still,
people do it. But then another option landed on the table.
Pharmacies began to appear online. Suddenly, you could order your medicines from your computer and
get it delivered right to your front door. And that changed everything. But there was a problem
with this too. Not all these internet pharmacies were above board. They weren't all licensed. And
most of the time, the medicines they were They weren't all licensed, and most of the
time the medicines they were selling weren't regulated, and that makes for a really murky
and dangerous scene. When rogue online pharmacies hit the market, underground partnerships were born
to promote them and get more customers. Their public face looked authentic, but the reality
was much darker. Their digital partners were internet spammers.
Today's internet is like a big mask. It's full of shady characters trying to trick you.
And this story is a look behind closed doors at what really goes on, and how spammers and
botnets and hackers have shaped how online pharmacies look today. And when you venture
into the depths of the internet, the consequences can be life-changing. These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find
about you online to try to get at your money. And our personal information is all over the place
online. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's
endless and it's not a fair fight. But I realize I don't need to be fighting this alone anymore.
Now I use the help of delete me. Delete me is a subscription service that finds and removes
personal information from hundreds of data brokers websites and
Continuously works to keep it off data brokers hate them because delete me make sure your personal profile is no longer there's to sell
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found and then they
Got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data
and keep your private life private
by signing up for Delete Me.
Now at a special discount
for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF cyber range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
When pharmacies started up online, getting medicines became much easier,
and that was a game-changer for a lot of people.
But there was still one big problem, the cost.
These medicines were just
unbelievably pricey. As more and more pharmacies became available online, people looking around
for medicine started to notice a big price difference on certain sites. Some online
pharmacies would show up and they had the same range of meds available, but they were a lot
cheaper. And I mean like half the price cheaper. And they didn't even ask for a prescription.
But these pharmacies weren't the real thing.
They were rogue.
And pretty much everything on their website was fake.
A lot of these rogue internet pharmacies advertised themselves under the Canadian pharmacy brand.
See, Canada is known for licensed medicines being available at much more reasonable prices.
There's a regulation on medicine there.
So pharmacies are told by the government what prices to charge. So when people thought these online meds were coming from Canada,
they were less suspicious and more trusting. The reality, though, is that these drugs were
not being sold from Canada. Here's an audio clip from the Partnership of Safe Medicines.
Have a listen to what they say about online Canadian pharmacies.
Have you ever googled Canadian online pharmacy and gotten like 40 million results?
Most people don't realize that these online pharmacies that they find in Google are not
mom and pop businesses selling you inexpensive medicines because it's the nice thing to do.
They're fronts for large global criminal networks that run hundreds or even thousands of sites to
sell unapproved drugs for huge profits. Sometimes the drugs aren't FDA approved, sometimes they don't have enough for any active ingredient,
and sometimes they have deadly ingredients. As the internet pharmacies were really starting
to gain steam, the little blue pill rose in popularity. Big pharma company Pfizer started
making their Viagra pill to solve the problem of erectile dysfunction, and their
marketing campaign was a throbbing success. By 2008, Viagra sales brought Pfizer $2 billion
that year, which accounted for 92% of all erectile dysfunction pills. This pill had been prescribed
to over 30 million men worldwide in the 10 years it had been available. There's been books written
about Viagra and how it changed people's lives, but Pfizer had a strict patent on the pill and no generics were available. So the only way
you could get it was to buy the name brand expensive one. So those shady online Canadian
pharmacies became shadier. They decided to make their own Viagra pills. And the most important
part of it was to make sure it was the same shape,
size, color, and label. But it didn't matter what the ingredients were. These were fake pills.
Some were harmless, but others contained blue printer ink or boric acid. The fake online Canadian pharmacies knew there was such a high demand for these pills that they wanted to cash in on that demand.
In 2006, two Russians, Igor Gusev and Dmitry Stupin, set up their own online pharmacy called GlavMed. There's a lot of characters in this story, and there's actually a few different
Dimitris, so I'm sorry if it gets confusing. Now, their website, GlavMed, was nicely done
and claimed to be part of the Canadian pharmacies group. But GlavMed was not a legit pharmacy. There was no requirement for prescription and no
online pharmacist available to answer questions or check out each order.
See, every legit pharmacy has a pharmacist working there. To be a pharmacist, you need a PharmD
degree, which is a doctor of pharmacy, and you need to pass an exam to get a license.
It's important that a pharmacist checks
every order because certain drug combinations can be deadly or even some drugs by themselves can be
deadly and need proper warnings. But the glavmed pharmacies didn't care about that and didn't hire
pharmacists. They sold everything from fake Viagra to pain medicines and they were getting them from
mass factories in Europe. It was like Amazon for meds.
Browse, click, add to your basket, pay, and go. That was it. No prescription needed. Igor had
experience in some not-so-legal online businesses. Back in 2003, he had set up a payment processor in
Russia with his business partner at the time, Pavel Vrublesky. They called it Cronopay, and it did
pretty well. It wasn't the most clean of operations, though.
A lot of the payments ChronoPay was processing were for, like, underground online pharmacies
or a lot of really shady porn sites.
So when Igor decided to set up his own fake internet pharmacy, it really wasn't that much of a leap.
Igor and Pavel had a falling out in 2005, and Pavel started running ChronoPay by himself.
And that's when Igor went and started GlavMed with Dmitry Stupin.
To be successful, GlavMed needed customers.
And so they needed to advertise.
But they didn't want to do the advertising themselves,
so they set up an affiliate network.
They offered affiliates an impressive 30% to 40% commission rate
on each sale they drove to the glavmed pharmacy sites they would
offer huge prizes and throw big parties for their affiliates because they were trying to be the top
affiliate network and attracted the best affiliates these russian affiliate networks were called
partnerica it's a good and tried and tested business model igor and dimitri stupin only
paid out when they got sales. The more money they were paying
affiliates and commissions meant the more sales they were getting. They'd deal with all the
ordering of the medicines, keep the stock up, taking payments from customers, and organizing
the shipping. And their affiliates could concentrate on driving customers to the site
using whatever advertising models they wanted. And GlafMed wasn't picky. Anyone could sign up
at this program and take a shot at making some money with it. And ifavMed wasn't picky. Anyone could sign up at this program and take a shot
at making some money with it. And if the methods they used were on the black hat side, well,
that didn't bother them too much either. GlavMed had a sister program called SpamIt,
and they had an affiliate program too. Now, SpamIt was a spam affiliate program. You can sign up for
them, get your little affiliate code and whatever product Spamit wanted you to market, and then spammers would send tons of emails out with that URL and tracking code.
Truckloads of emails were sent to everyone across the globe, but mainly to people in the U.S.,
advertising things like GlavMed's online pharmacies.
When people clicked the link to go to the website, that link had a little tracking code which gave the spammer credit for the traffic.
So if people do buy something, Spamit knows which spammer sent them that customer.
But Spamit was a secret program and sat under the GlavMed shadow. While anyone could sign up
for an affiliate program at GlavMed, not anyone could be an affiliate at Spamit. People needed to
be invited from somebody who was already a member. Sometimes they'd even get background checks to have them prove themselves as a decent spammer.
You know what it's like in your inbox.
You get emails from your bank or your cell provider.
Great.
But you also get a lot of other stuff too.
Stuff you didn't ask for.
And sometimes it's way more than just an email.
Microsoft's digital crimes unit senior attorney,
Richard Boscovich, explains it pretty well.
You could open up your email account and you'll have tons of advertisements and things of that sort that you just don't want.
But spam is much more than that.
It's kind of like if you had junk mail come to your house.
And when you open the envelope, a white powder exploded on you and somehow you become infected with something.
Literally, that's what happens in the cyber world.
And then you've got a lot of porn emails.
The ones telling you that somebody is nearby and wants to hook up.
And what websites to visit to see an exclusive show.
And next to porn, it's pills.
And Viagra was the leading one.
The little blue pill was sold in emails telling you how your sex life will be enhanced beyond your wildest imagination.
See, back in 2007, email spam filters weren't that sophisticated yet. They would look for keywords or phrases and block them. Spammers figured out how to get around filters, and were
doing so pretty easily. So people would see emails show up with the subject, want to be rock hard?
With links to where they can buy Viagra without a prescription and for much cheaper. Now, email spam
laws did come in, eventually making it harder for spammers to send these kind of unsolicited emails. And the email clients got way better at catching them
and sticking them into dedicated spam folders. But the shadier businesses still did it. Because,
well, spam was working, like, really well. The more spam that went out meant more people were
visiting the porn and pharmacy websites, and profits for both the spammers and the website
owners.
Spammers are like the middlemen when it comes to shady online pharmacies.
They might have a background in computers, IT, or hacking,
but then got involved with sending spam because they can make more money from that.
Damon McCoy is from George Mason University in Virginia.
He was the lead author of a big study in the partnerships between spammers and the online pharmacies.
This is him giving a talk, Pharma Leaks, in the 21st USENEXT Security Symposium
in 2012 in Bellevue, Washington. So there's three main players in this economy. There's
the user, which is a potential customer. There's the affiliate marketer, which is typically a
spammer. And there's the affiliate program. And let me go into a concrete example of a business interaction between these three parties.
So initially what happens is that the affiliate marketer perhaps gets the user to see some
kind of spam advertisement that includes some kind of link.
They'll include some kind of enticement of cheap drugs, no prescriptions required, to
get the user to click on this.
If the user is actually interested in perhaps buying these pharmaceuticals,
clicks on it, they'll be delivered that template that I showed you in the original slide.
And the user can interact with this template just as with a normal e-commerce site.
There's a wide selection of drugs there.
They can select their drugs.
If they indeed want to purchase some drugs from the site,
then at this point in time,
the relationship switches from the affiliate,
whose job it is to attract customers,
to the affiliate program,
whose job it is to actually monetize the customer
and turn them into money.
So at this point in time, the spammer fades out,
the affiliate program steps in,
and if the user decides to purchase this, typically purchases happen with credit cards, the user gives their
credit card details to the affiliate program, actually operates much like a business, and
their job is to process credit cards, and then they'll actually deliver some product
that you ordered.
So this isn't a complete scam.
These pharmacy affiliate programs, as I'll show you, operate much like a business,
and they're very interested in keeping their customers happy and satisfied
because these customers are paying with credit cards.
If they're not satisfied customers, they're going to charge back.
These affiliate programs will be shortly out of business.
And as I'll show you from the economics, these affiliate programs are in it for the long haul, and they want to scale
their business to large millions of dollars. So it's not in their interest to have dissatisfied
customers. For a good spammer, this is a great deal. The more spam they send, the more money
they can make. And they knew if they could scale up, it would mean they could really scale up.
Their commissions could just go through the roof. This is what one guy figured out while he was earning
himself some money with GlavMed and spam it. He called himself Google. Yeah, I know it's confusing
because it's the name of the search engine, but that was the name he went by. So this guy Google
started spamming and he saw that it was pretty effective. And he tried thinking of ways that he
could make more people visit the online pharmacy. Sending mass amounts of email is not so easy. Every email that's sent has an IP
address of where it's from. And if you send enough spam email from a single IP address, that IP
address gets added to an abuse or block list and email providers will stop accepting emails from it.
So spammers would need to change their IP frequently, which can be a hassle. So the
hacker named Google thought if he could control hundreds of different computers and send emails
from them, then it would be harder for email providers to block that many IPs. Taking control
of a bunch of different computers like this and putting them all to work together, that's called
a botnet. And when you combine spam with a botnet, you get an incredible working
machine. So you can think of a botnet like a big network of computers that someone has full control
over all of them. So from a single workstation, they can tell all the computers to carry out a
task. And these computers would be people's home computers or laptops, or even work computers in
the office. And they can be located all over
the world. But these people didn't sign up for their computer to be used like this. So because
nobody would opt into this, it meant people running the botnets would have to stay hidden
from the user and not let their presence be known. In 2007, Vint Cerf, he's the guy who
co-developed the TCP IP protocols, he said of the 600 million computers connected to the Internet,
between 100 and 150 million of them were already part of a botnet.
Here's Kaspersky talking about how they work.
Malicious software, or malware, can harm your computer in a variety of ways.
And sometimes the effects are not known until it's too late.
What's worse, your computer can become one of many infected
with malware, creating a botnet, short for robot and network. Cyber criminals use special malware,
usually a Trojan horse, to breach the security of several users' computers. These take control
of each computer and organize all of the infected machines into a network of bots,
which are unwitting tools that the cyber criminal can
remotely manage. The infected system may act completely normal with no warning signs. A bot
can be a PC, Mac, or even a smartphone. Oftentimes, the cyber criminal will seek to infect and control
thousands, tens of thousands, or even millions of computers so that they can act as the master
of a large zombie network or bot network.
Once infected, computers are hooked into a botnet
and they sit there quietly waiting for instructions.
It's like hundreds of thousands of obedient little puppies
just staying in silence, ears pricked up
and waiting to be told what to do next.
They're obedient and will follow the instructions they're given.
Computers in a botnet are the most loyal machines you'll ever find. But all botnets are created by someone. And that someone is called a bot master or bot
herder. And Google wanted to become a bot master. A bot master sits behind their computer controlling
it all. It's all done remotely and it's all done anonymously. These guys don't reveal their
identities. In fact, one of the biggest problems in trying to fight a botnet
is not knowing who the botmaster is,
or where in the world they're even located.
Botnets are controlled through a command and control server,
which I like to call CNC.
Some people call them C2s.
This has to be set up and maintained by the botmaster.
Even hackers need to host their stuff.
And CNC is like the nucleus of a cell.
All the key information, instructions,
and communication with zombie bots in the network go through here. And once the bots have carried
out their specific task, they send feedback back to the CNC. They like to report back on how well
they did and any problems they hit. They're very well-trained bots. Botnets have been used for all
sorts of things in the past. I mean, think about it. You've got all these computers at your command. The combined computing power is insane. You set that
thing loose and you can cause some serious damage. DDoS attacks are a favorite for botmasters and
their botnets. But bots can also steal personal information and banking information. But the one
thing botnets are really good at is sending out mass volumes of spam emails.
So Google had sat and thought about ways he could gain access to hundreds of computers.
He needed to infect them somehow with malware and would bring them under his control.
He decided to use a Trojan to be the installer for his own spam botnet.
But this really wasn't easy.
Getting all this just right was something Google puzzled over,
and so he ended up accepting some help.
Igor Vishnevsky was another spammer that Google met years before in Moscow, and he came on board to help protect it all.
By the time they were done, hacker Google and Igor Vishnevsky had built a botnet and called it CutWhale.
CutWhale was designed as a centralized botnet.
That meant the CNC server would communicate directly with
each infected computer. They designed it well, but now they needed to populate it by infecting
hundreds of computers to get them to join this botnet. Google used a trojan called Pushdo to
infiltrate Windows computers and get the Cutwell spam engine running on them. I don't know who
built Pushdo, or even if Google had something to do with it himself, but Pushdo and Cutwell went hand-in-hand in their interoperability.
They were a pair that was rarely seen without the other, but it did happen occasionally.
Pushdo would infect machines through phishing emails.
Like the email might say, someone just sent you an e-card, click here to see it.
And other methods were drive-by downloads.
But that was just a dropper, a tiny program whose job was to install
Push-Do. The dropper scans computers, hunting for gaps in the software. Maybe the operating system
has been updated in a while, or there's an app that has a vulnerability. Once it finds this,
it then installs Push-Do and starts the infection. First, it makes a copy of itself and sits quietly
in the system directory. It also writes new code for the registry. This enables new malware and updates to be installed
every time the computer starts up.
Rootkits are installed to hide all this from the user
and from any antivirus programs that were installed.
And when those tasks are done,
Push2 gets on with its real purpose,
downloading more malware.
And CutWhale was at the top of the list.
Once CutWhale downloads and runs for the first time, the computer is now a zombie machine.
It's a slave and part of the CutWhale botnet.
Straight away, CutWhale contacts hard-coded IP addresses to talk to the CNC server controlled by the hacker Google.
This is a new bot asking for instructions on what it should do now, like an obedient puppy that it is.
The CNC server sends
back a full spam creation pack for the bot to use. So the zombie machine gets a list of active email
addresses to send spam to, and there's a heap of email templates with content already written and
ready to go. And this was already written and tested that it could pass through spam filters.
The bots put all this together and start sending the emails out in different spam campaigns.
It's important to mention a little bit about how emails work here.
It's incredibly easy to spoof where an email is from.
That little from field in the email, yeah, you can write whatever you want in there.
In the early days of the internet, there were no checks to see if an email came from where it says it came from.
But now a lot of companies have added checks to verify that from field is where the email actually came
from. It matches. But when CutWhale was going around, that feature wasn't implemented very well.
So you could put whatever you wanted from the from field. So this was all going very well for
hacker Google. He was getting CutWhale into computers and collecting his zombie bots.
The numbers were adding up fast and he didn't want to just stop there. He started to offer
CutWhale out to rent. He was advertising his botnet on Spam It Underground's web forums called spam.biz. Now,
this is a place where hackers and spammers would go to share information, hire software, or sell
malware, all illegal and dodgy. There are loads of reasons why a ready-made botnet would appeal
to some cyber criminals, but mainly it was because they wanted their own malware installed on as many machines as possible and to send out crazy amounts of spam. There were some
standard prices for botnet hires, like to use a botnet that has 10,000 installations, that would
go for like $300 or $800. Machines in the U.S. were more valuable targets. They had better internet
connections, so they were up to $125 for a thousand machines
infected. The computers in Asia and Europe, they were cheaper at about $13 to $35 per thousand
infections. Some were even as paying as high as $10,000 a month to use a botnet, which could send
100 million emails every day. These services often came with free trials to prove how effective they
are. There was another trojan or botnet called the Game Over Zeus Trojan,
and that stole personal information and banking information,
and it was installed on millions of computers using Push2 and the Cutwhale botnet.
And this Zeus Trojan is so fascinating to me,
that's actually going to be the subject of the entire next episode,
so make sure to tune in to that. I'm going to pause be the subject of the entire next episode. So make sure to tune into that.
I'm going to pause for a break here, but stay with us because when we come back, some battles are waged.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily, taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet
exposure and was surprised by just how much stolen identity data criminals have at their disposal,
from credentials to cookies to PII. Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you and your users from account takeover,
session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries. The website is spycloud.com
slash darknetdiaries. So CutWhale was a roaring success and was growing fast. This was all going
in 2007. And in case you're curious where Google got all the email addresses from,
underground hacker marketplaces. You can buy a million email addresses for like 25 or 50 bucks.
And CutWhale was amassing hundreds of millions of addresses this way. The CutWhale botnet eventually
became a self-service tool. Once you purchased the usage of the botnet, you were given a URL
which let you log in and send your email from. And there you were given multiple support contacts in case you needed help. Even the botnet creators knew that a satisfied customer would mean
a repeat customer, so they wanted to do what they could to make the user experience enjoyable.
CutWhale soon passed 100,000 infected computers and was growing in size. Remember, this botnet
was sending spam emails from each of the infected computers. The more computers they had in their botnet,
the harder it would be to block this botnet from sending spam.
Because it wasn't sending spam from one place.
It was sending spam from 100,000 different places.
And the Cutwell botnet just kept growing.
And soon it had over 1 million infected computers at its control.
At its highest point, the botnet was sending out 51 million spam emails every minute.
51 million emails a minute!
Hacker Google could send 74 billion spam emails a day through Cutwell.
And Google used his own botnet to send pharmacy spam using GlavMed and SpamIt affiliates.
And from that alone, he was earning $1,000 a day from affiliate commissions.
Just months after Cutwell launched on September 2nd, 2007, there was a big car accident in Moscow
that shook up the world of spam botnets. Nikolai Mikolo was 23 years old, and he was the owner of
Mikolo Corp, which was a web hosting provider, and its headquarters were in San Jose, California.
Now, Google knewullough and hosted
his CNC servers at McCullough Corp. Because when you're running a massive shady illegal operation
like this, you want to host your servers at a place you know and trust. Nikolai and McCullough
Corp were known for turning a blind eye to what their clients were doing with their servers.
So the McCullough hosting provider was a safe haven for
spammers and criminals were happy to use the service. And there was a lot of criminal activity
on McColo's servers. From hosting big spam botnets to clients involved in spamming for fake goods,
fake drugs, and a lot of shady pornography, McColo Corp had a good reputation for hosting bad things. So on September 2nd, 2007, Nikolai Mikhailov was
riding in a BMW through Moscow. The driver was a guy named Jax, a known Russian spammer. And when
they got to an intersection in the middle of Moscow city, a Porsche drove up beside them.
Jax and Nikolai looked over at the Porsche. Both cars came to a red light and stopped side by side.
One of them revved the engine. The other revved back. A race was about to begin. When the lights
turned green, both cars roared off at high speed, but it all went wrong. Jax lost control of his
car. The BMW went into a spin and clipped the corner of the Porsche. Both cars went screaming
off the road, and the BMW went
straight into a lamppost. It totally destroyed the car, and Nikolai was killed instantly at the age
of 23. Jax and the guy driving the Porsche walked away with minor injuries. This was big news across
the spammer community. At Nikolai's funeral, Igor and Dmitry Stupin from Glavmed were there,
and Google was too. They knew the importance of Nikolai's McColo Igor and Dmitry Stupin from GlavMed were there, and Google was too.
They knew the importance of Nikolai's McColo Corp for the spamming world and its hosting services, and they were fairly close to him.
So they were wondering how Nikolai's death was going to impact McColo and the hosting.
The McColo group assured them that hosting would still be fine and all was good, so Google went with it and left his Cutwell servers with them.
Now, Cutwell wasn't the only successful spam botnet on the go at the time.
No, there were others. Google wasn't the only one who spotted this opportunity.
Other guys with existing botnets saw this and wanted to monetize and earn some serious money too.
One spammer had multiple affiliate accounts with Spamit, and they called themselves Cosma.
Now, Cosma had signed up as an affiliate spammer soon after Spamit set up in 2006.
He generally used the handle Cosma2k on his affiliate accounts, but there were others too.
And he had an idea to propel himself to be one of the most successful spammers ever.
Cosma built a botnet called Rustok, and he had some of his command and control servers hosted with MercolaCorp too.
And he'd been toying with the idea of doing some kind of stock manipulation scam,
but once he got involved with Spamit, he saw he could really make some money.
In 2007, Cosma switched Rustock to be a pharmacy-spamming botnet.
Rustock was a little bit different than CutWhale.
Windows machines were still the targets, and computers were infected in a similar way through malware download,
but Rustock malware didn't launch straight away.
No, Cosmo programmed Rustock to just sit quietly,
do absolutely nothing for five days after infecting a computer,
which is kind of crafty.
This helped it hide from antivirus scans.
Rustock used some custom encryption techniques,
so when it downloaded,
it just looked like a.rar file, a compressed archive file. And it ran complicated rootkits
to embed itself into the infected machine. Debugging programs were automatically disabled,
and Rustok would hide its tracks, so that couldn't be discovered. Once Rustok infected a machine,
that computer would contact Cosma's CNC servers, just like Cutwell. But Cosmo had things set up
a little differently here too.
He had more than one command server, and communication
from these servers to his bots were done
in more like a relay, at different levels.
So Cosmo would send communication
to a secondary command and control server,
and that one would then talk to another set
of CNC servers lower down,
and they would be the one who passed on the information
to the bots, making up the botnet. One reason for having so of CNC servers lower down, and they would be the one who passed on the information to the bots making up the botnet. One reason for having so many CNC servers is it makes it harder
to stop a botnet. If a huge botnet has one CNC server and you take down that CNC server,
you might lose complete control of the botnet. So Cosmo programmed it this way in order to keep it
up longer. And the same kind of feedback went on for the bots. When they needed to tell Cosmo
something, they would go down the chain and relay messages all the way back to Cosmo somehow. So while Cutwail
was centralized, which is one computer talking to many bots, Rustock was decentralized, where
thousands of systems would issue commands to infected machines. Cosmo had something like 2,500
domains in place for Rustock. The botnet used DNS for the bots to connect to, but Cosmo had also
coded in some specific IP addresses as backup systems. It was a contingency planning. If some
of his CNC servers got taken down, the botnet would just reach out to the hard-coded IP addresses and
get an update on which new IP addresses to communicate with, and it would just carry on
after that. Rustok also used TLS encryption when sending spam to conceal what it was doing. Cosmo's CNC servers were dotted all over the US, and he was
paying a fair whack for them too, about $10,000 each month. And these were servers with dodgy ISPs,
known for offering hosting to shady services. Cosmo did have some of his servers with McColo,
yeah, but he rented servers from straight up legitimate ISPs too.
And these ISPs had no idea
what Cosmo was using them for.
This was a spam botnet hiding in plain sight.
Rustock grew into an enormous, powerful botnet.
Cosmo had collected between 850,000
to 2.4 million bots on his network.
It became so big that some estimate
that Rustock botnet was responsible for
41% of the total spam in the world. Each individual bot was sending over 192 spam emails per minute.
That put the collective Rustok output at 32 million emails per minute. That's 46 billion
emails a day. That's just insane.
In November 2008, Cosma got twitchy about hosting at McColoCorp,
so he started moving his RustDoc servers to different providers based in Russia instead.
Cosma, it seems, wasn't taking any chances with his botnet.
As Cosma was seeing huge success with RustDoc as a spam botnet,
Pavel was reappearing on the scene.
He was the guy who created ChronoPay with Igor, and then Igor went off to make Glovmed. And Pavel was still running Chronopay, but he
wanted to get in on some of this other action too. That year, he launched his own rogue online
pharmacy, RX Promotion, which would be a direct competitor to Glovmed, Igor's company. But he
didn't launch it on his own. He had a new partner, Yuri Kabayankov, who did all the tech stuff for him.
So now Igor and Pavel were going head-to-head in a battle to secure more of the online pharmacy market than their rival.
Pavel, though, decided to appeal to a different part of the online medicine market demand.
Igor and Dmitry Stupin were pushing erectile dysfunction drugs as their top seller.
They were selling their knockoff versions for a markup of 25 times what they bought them for.
Pavel instead went on to highly addictive medicines that people often abused, like opiates.
So he was selling oxycodone and Valium and others like Adderall and Ritalin.
These would be his top medicines and all for really cheap prices.
Pavel opened RxPartners not long
after using the same model that GlavMed and Spamit used. RxPartners was the affiliate program for Rx
promotion. Spammers that were signed up with Spamit happily opened up accounts on RxPartners too.
They didn't care who they were promoting as long as it made money for them. Some of the figures
that the top spammer affiliates were earning in commissions was pretty mind-blowing. Here's Damon McCoy again, talking about the data he analyzed
when drilling this down. Let's look at some of the schemes that these top earning affiliates use
to be successful spammers. So an obvious one to think of is, right, run a large bot network and
spew out a whole bunch of spam. So in fact, the operator of Rootstock,
we identified him within the Spammit dataset.
And in fact, he made close to $2 million by operating Rootstock
and sending out spam shilling for the GladMed Spammit program.
So that indeed is a very good way of becoming a successful marketer
is run a large bot network.
So as you can see, these top earners marketer is run a large bot network.
So as you can see, these top earners, they earn quite a bit of money.
And they, in fact, earn the largest share of each individual sale.
However, the affiliate programs, if the affiliate programs are very successful,
they, in fact, can earn more by taking a smaller portion of each sale over all of the sales from their affiliate program than the individual affiliates.
It must be exciting for the spamming bot master. Think about it. You've worked really
hard, made this big botnet, infected all these hosts, launched your campaign, and sent out a ton
of emails. And now you're looking at the dashboards on GlavMed and SpamIt, and you're just watching
your numbers grow. Seeing the rewards pay out in real time and watching the earnings get higher
and higher, that must have been a pretty big kick for these botmasters.
2008 turned out to be a busy year for spam botnets.
And this next botnet was probably the most complex of them all.
The Walladeck botnet was started by a guy named Severa.
He was known on the spam.biz forum, but just like the other botmasters, he kept himself totally in the shadows.
Walidak used similar methods as the others to get computers infected and part of its network.
Social engineering trickery.
Innocent looking emails that had an attachment of malware or a link to malware.
And once you clicked on it, Walidak would unleash itself into the machine, turning it into a spamming bot.
Once a machine had been infected, Walidak binaries were let loose.
It was coded in C++.
The executables were just under one megabyte in size.
As all the other botnets did,
the first task of the malware
was to amend the machine's registry
so that each time the computer starts up,
Wallidak would be run to check for updates
and keep the machine as an active spam bot.
Wallidak was designed to be a spamming machine.
It was crafted to collect bots, grow in size,
and distribute mass spam email campaigns.
In the core binaries of the malware was an SMTP engine,
which could communicate with an SMTP server and send emails.
The malware can deal with two types of HTTP traffic,
the control message to the CNC servers
and the normal HTTP traffic to and between the
Walladak bots. Walladak was structured in a different way compared to Rustok and Cutwhale.
It was a custom-written, peer-to-peer structured botnet with a maze of layers for its infected
machines. It had categories for its bots and different communication routes. The CNC servers
did not communicate directly with the infected machines. It was all
designed for resiliency and to protect itself and to hide from anyone who's trying to find it.
Over in Canada, there's an engineering school connected to Montreal University. It's called
Polytechnique Montreal. Two security researchers there, Joan Calvett and Carlton Davis, and Pierre
Marc Bureau, who was from the U.S. internet security company ESET, well, they got a hold of these binaries from Walladak and started reverse engineering them.
What they found revealed a complicated botnet.
Walladak didn't miss an opportunity to steal data that it could use.
It would scan the hard drives of infected machines and sniff their network traffic.
It was hunting for email addresses and passwords that it could steal
and send it up the communication chain back to the command and control servers
straight into the hands of Severa.
When thinking about how Walladak was structured, imagine a big pyramid.
The base layer, the biggest layer, were the spam bots, the infected Windows machines.
They were the worker bees, the ones who were actually sending out spam emails.
These spam bot machines couldn't talk to each other,
only to the layer above them,
who the researchers called the repeaters. This layer were infected Windows machines that had
public IP addresses. But these didn't send out any spam. Their job was to pass information between
the worker bots and the communicator bots. They could talk to each other and to the layer above
in this pyramid. The third layer was the protector group. They were the Linux servers, which the researchers thought acted as proxies for the core CNC servers.
They were the protection layer, hiding the valuable servers from sight. The five of these
servers that researchers identified were scattered across the globe in locations like Germany, the
US, Netherlands, and Russia, and all had at least one protector server. The only layer above them
and sitting at the top of the pyramid
was the actual CNC server for Walladak.
Walladak also used this layered system of lists in its structures too.
So all the spammer bots had their own hard-coded list of repeater bots
that they'd have to deal with, like 200 of them,
all communicating through XML files using encrypted registry keys. Now, they would
contact a random set of these repeaters to get updates, and they would also send the repeater
another list of repeater bots taken from the original list of 200. It's confusing just for
me to try to figure out what's going on here, but that's a lot of lists, and there's a lot of
different layers here, and a lot of different bots that you have to juggle as the bot master.
But all this worked in harmony. It was acting pretty smoothly. The Walletek botnet was
pretty successful, and it kept its bot master earning some pretty good money. Before that year
was out, though, the other spam botnets would take a hit. The McColo web host provider was forcibly
taken down on November 11, 2008. Their not-so-ethical practices had finally caught up with them.
After a number of reports highlighting the shady nature of what Mercolo was doing,
their two U.S.-based internet providers, Global Crossing and Hurricane Electric,
pulled the plug on them.
Suddenly, a big chunk of these botnets lost their hosting provider,
and the spam volume across the world just took a huge drop.
Like suddenly, something around 80% of all spam
worldwide just stopped. Cosmo had already moved some of his servers from McColo, but not all.
And Google had most of his servers for Cutwell there. This was enough to make both botnets
stunned and immobile. But the effect was short-lived. A few days later, McColo reactivated
one of their servers in the exact same location where it was
before, in San Jose, California.
And when that server came online, the Rustock
botnet came online again too.
But within weeks, that botnet found
a new hosting provider. CNC servers
were reconfigured to send new server
information to all the bots, and the
spamming machines got rolling again.
Spam volumes once again began
to climb. By the middle of 2009,
pharma email spam was dominating the global spam market. 74% of all spam emails were pushing for
dodgy online pharmacies. And 67% of all that spam was promoting the Canadian pharmacy brands like
LavMed and Spamit. That year, spam botnets were sending an average of 150 billion spam messages a day.
CutWhale was riding high again, but it took another big hit in June that year,
when again it lost the hosting of its master CNC servers.
Another hosting provider based in California was called 3FN,
and hacker Google had loads of his servers there,
especially after the McColo takedown a year before.
3FN was like a repeat of McColo.
It was sort of known for hosting things that were dodgy or crime-ridden,
like child pornography websites.
And the FTC stepped in and shut it down on June 4th, 2009.
And when that happened, there was a noticeable drop in email spams being sent as a result.
But nowhere near as big as the one after the McColo takedown.
But a few months after that, the Cutwell botnet was back at it and just as strong as ever.
The botnets were once again at full steam, but they were also in the crosshairs of some
determined people who wanted to take them down.
Security analysts, academics, and software companies, and big brand pharmaceutical companies
like Pfizer were all getting pretty frustrated with these botnets and rogue pharmacies.
Because these online pharmacies were selling fake Viagra, which Pfizer made.
And at the time, there was no generic available.
So Pfizer was losing a bunch of money from these botnets.
But by this time, the botnet spamming empire and the Russian affiliate networks were all starting to show cracks in their operations.
The Walidak botnet was the first to fall. At 1.5 billion spam emails a day,
Walladak was a big part of the pharma email spam problem. Severo brought the online pharmacies
an extra $438,000 in revenue, and his cut from that was about $145,000. Software giant Microsoft
was getting especially annoyed with Walladak. In December
of 2009, they found 651 million emails going from Walladak through their customers' Hotmail
accounts alone, and they decided to fight back. They realized to take down Walladak,
they're going to have to do something pretty unusual. Successfully taking down a botnet is
as much about tactics and strategy than anything else. Researchers need to bide their time,
do their homework, and identify the botnet's weakest points. Most of the time, that's their
CNC servers. It's not a game of chess where authorities have to make a move or wait for
the botmaster to make theirs. It's the opposite. Because the best attack is a coordinated,
worldwide, sudden strike on multiple levels to cut the botnet away from the bot master. By February 2010,
Microsoft's Digital Crimes Unit, their Malware Protection Center, and their active response to
security guys were building a takedown team to knock out Walidak. They had Symantec involved,
experts from Shadow Server 2, and there were security researchers involved from universities
of Washington, Mannheim, and the Technical University in Vienna. That's a lot of people. Together, they would try to take down this Walidak botnet,
and they codenamed this Operation B49. The team identified 277 domains that Walidak was using to
operate its botnet. Their plan was to try to disconnect all of these domains at the same time,
which would cut off all communication routes between the command and control servers and the bots.
But it wasn't going to be easy.
Microsoft had their senior attorney for the Digital Crimes Unit, Richard Boscovich,
who was fully involved in this takedown attempt.
And here's a clip of him explaining why.
The challenge we were facing is how do we go about stopping a botnet of this magnitude? In essence, how do we go about disconnecting all of the robot computers from the bot herder?
We looked at a traditional and well-established legal principle called the ex parte TRO.
Ex parte meaning without notice to the other side. TRO meaning temporary restraining order.
And the reason why we chose the ex parte TRO
because it was of crucial importance
that when we went out to sever,
to cut the connections between the bot herder and his bots
had to be done without him knowing.
So it was imperative for the operation
that we get the ex parte TRO
before the bot herder knew we were coming.
Microsoft filed a lawsuit naming 27 John Doe's
as the orchestrators of Walidak, including the mysterious Severa. They wanted a restraining
order on Verisign, the company that oversees.com and.net domains, to force them to disconnect
these 277 Walidak domains. Verisign was hesitant though, which makes it sound like Verisign was
refusing to help,
but it was more like they weren't sure that they were able to help.
Alex Landstein from FireEye explains it here.
So most of those domains existed inside the.com and.name space.
And it's not just that a registrar or registry, so like the way DNS works is you have registries that are responsible for ccTLDs and gTLDs,
and then you have registrars who essentially resell those, and sometimes you have a shared model.
But it's not that some of these registries, and in particular this one was in the U.S.,
it's not that they didn't want to help out, but it's that they weren't exactly sure whether
they had the legal authority to help out. This is sort of the coordinated takedown is sort of a new model that security and ISP community
is sort of working on. But yeah, like what Julie was saying, in that case, the DNS infrastructure
wasn't going to be enough because they had some IPs hard-coded, and you couldn't just
take out the domain names. But that's the first, I think, legal mechanism that anyone's
used to take domains.
This really hadn't been done before.
It was totally unprecedented, and no one was quite sure how the courts were going to respond to something like this.
But the federal court in Alexandria, Virginia, did grant the restraining order.
Verisign went ahead and cut off all the domains,
and Wallidak's main bot master, Severa, had no idea the strike was coming. When Verisign disconnected the domains, the effect was
immediate. The spam traffic fell massively. The number of bots dropped from 80,000 down to 20,000.
Walidak was severely crippled, and with quick work by the takedown team, they were able to take over
the domains which were required for Walidak to operate. And once those were taken over, the bot
could no longer function as no new commands
could be issued to it. And it was successfully shut down. Operation B-49 was a success.
I think it is a landmark case in the sense that we were able to finalize the case,
close it out, so to speak, and we were able to get the default judgment which we wanted.
It's the first time from both a technical perspective and a civil legal perspective
that we've been able to literally address and dismantle a botnet threat such as Walladeck.
The endgame, of course, is with the default judgment.
We will now own those domains.
By doing so, we ensure that these domains will not be used for any criminal activities in the future,
effectively eliminating them from the bot herder's control.
One of the early criticisms was that Microsoft's actions were a form of vigilantism
and that they were supplanting federal law enforcement.
And in this case, it's exactly the opposite.
Our justice system is broken up into both civil and criminal processes,
and Microsoft has every right to use civil legal process
to protect themselves
and their customers from harm.
The legal process which we used is a process now that I think any other particular company
in the United States which has a vested interest and is able to meet the legal requirements
could do.
The online pharmacies GlavMed and SpamMed were still going strong.
The hacker Google with his Cutwell botnet was still one of their best affiliates.
Pairing Cutwell with Pushdo was a good move by hacker Google.
It had made it very hard to take Cutwell down,
but that didn't stop people from trying.
This botnet, though, seemed to have nine lives.
See, taking down Cutwell's CNC servers
would cut off Google's ability to communicate with his bots,
but he'd just activate new servers in replacement.
Pushdo would just update what the IPs are for the CNC servers, and Cutwhale would be fully alive and kicking again.
Between 2008 and 2010, there were three attacks on the Cutwhale botnet, and in November 2008,
when the McColo ISP got taken down, that had a massive impact on Cutwhale. But Google recovered,
and Cutwhale got back its previous strengths. In early 2010, FireEye managed to get a hold of a handful of Cutwell's CNC servers and knocked them out.
But again, the drop in spam emails only lasted weeks before the numbers went back up again.
The takedown that had the biggest impact on Cutwell was actually a little accidental.
Thurston Holes was a senior threat analyst at the U.S. cybersecurity company Lastline,
an assistant professor at a university in Germany.
He and some colleagues were working on a research project in August 2010,
examining botnets, including Pushdo and Rustok.
They were trying to match infected IP addresses with the botnets that were responsible.
To properly do their research, they needed some CNC servers
to be able to test an algorithm that they'd come up with.
So they decided to try to take down some of PushDo's CNC servers to get a hold of the data so they could do their part of the project.
They identified eight hosting providers that were hosting 30 of PushDo's CNC servers.
They didn't really set out to take down this botnet, and they really weren't sure what their efforts with PushDo's servers could do to Cutwell. They sent out an abuse notification to
these hosting providers, with evidence that these servers had been used as command and control
servers for botnets. 66% of the servers were located in Europe, with a couple hosted inside
the US, and most of the providers responded by cutting off the servers, but a few just ignored
the notifications completely. But the server disconnections did damage Cutwell.
In fact, it stopped 80% of Cutwell's email spam overnight.
Unfortunately, though, it wouldn't last.
With Cutwell momentarily weakened,
that only gave more opportunity for Rustok to climb up the spam botnet world.
Cosmo was bringing in decent money through Rustok and spam it,
and he was holding his own as one of the top affiliates.
By August 2010, Rustok was the most dominant ph and he was holding his own as one of the top affiliates. By August 2010,
Rustok was the most dominant pharma-spamming botnet. But then some news broke that wasn't
taken very well by these spammer affiliates. That month, Glavmet and Spamit got hacked,
and it was a huge breach. The hacker got the sales logs, customer figures, affiliate commissions,
and revenue data. It was a database 9 gigabytes in size,
with records going back to when both programs started in 2006.
And it all got released to security researchers
and got passed into the hands of U.S. law enforcement.
Now, this was all a little weird.
You remember Igor's old company, Cronopay,
and that his rival, Pavel, was still running?
Well, seven months earlier, that got hacked too.
Data for ChronoPay and RxPromotion found its way online and into the hands of security analysts.
Security journalist Brian Krebs from Krebs on Security was one of the people who got a hold of the GlavMed and Spamit data,
and he'd been contacted months earlier by someone calling themselves DespDuck,
who said they had it all and they were going to release it. From what he could figure out,
this all went back to that ongoing rivalry between Igor and Pavel.
And Krebs was quite convinced that this anonymous Despduck character
was actually Pavel.
And he was using this name as a dig to Igor,
whose nickname was actually Desp.
And it seems like these two guys were so enraged with each other
that they arranged hacks on one another
and then forced their data to be leaked to the world. It's just crazy to me because they were trying to destroy
each other. And this really wasn't good news for the spammer affiliates. The data that was being
leaked contained all kinds of details about the hacker and spammer activities, like how much they
were earning and some pretty big clues as to what their real identities were. Here, have a listen to this.
It's Alex Landstein from FireEye talking at Black Hat 2011 about this data leak
and what it revealed about the top spammers.
So they leaked the database of one of the competitors to Krebs.
They're like, oh yeah, here's a bunch of data.
Go and blog about it.
And what he found was that the top three affiliates were all the same dude. So, like, the top three money
earners for Spamit all used the same, like, web money ID, and they were all the Rust.guy.
So, like, he would register, like, multiple affiliate accounts and manage to be the top
one, two, and three affiliate for these huge spam campaigns and just make boatloads of
money. But he didn't want to be too big or else everyone would get at him like, oh, who is that one username to like register multiple accounts
on all these services and still be the top earners for all those different accounts.
Everyone was interested in this data set. Getting raw data like this from the underground shady
pharmacy operations, that doesn't happen very often. Brian Krebs started researching this and
started connecting real identities to some of these top
spammers after digging around in this data.
So Cut Whales bot master
Google, Krebs identified
him as a Russian spammer named
Dmitry Nikvolo. And he
doesn't stop there. From cross-referencing
email addresses on affiliate accounts with
Samamit and RxPromotion, Krebs found
the name for Cosma, too.
Dmitry Sergiev. Damon McCoy and his
colleagues at George Mason University, they got this data, too, as well as the leaks from Chronopay,
and it formed the basis for their PharmaLeaks study. And as part of this, we have the backend
database, which includes order information, transactional information, a very rich set of
information on the GladMed SpamIt programs,
which are two of the larger online affiliate programs according to when we did our analysis
of spam and linked it back to the different pharmaceutical affiliate programs.
We also have chat logs from the operators of the GladMed SpamIt program, which again
give us a lot of metadata and insight into how their business operates.
We have a more restricted set of transactional information from the ARCS Promotion Affiliate Program.
Again, an extremely major online affiliate program that constituted a large portion of spam while they were operating.
And we also have extremely fine-grained revenue and cost structure information from the ARCS Promotion Dataset.
So just a quick summary of this data.
It encompasses over $185 million worth of revenue of purchases.
It encompasses over a million customers, over 1.5 million orders, and over 2,600 affiliates.
During our analysis of this data, we realized that GladMed has
often denied that they are the operators of Spamit. However, by our analysis of the databases
of GladMed and Spamit, we realized that Spamit is just a fork of the GladMed databases, and
that in fact, these two are operated by the same people. And if you crunch the numbers, the GladMed spam programs attract about 3,500 new customers per week,
and the ARK's promotions program attracts about 1,500 new customers per week.
On October 3, 2010, another weird thing happened.
The global volume of spam being sent all of a sudden hit an all-time low.
In fact, Rustok, the biggest spam botnet going on at the time,
stopped sending spams completely for 14 hours.
It just stopped doing anything.
Cutwhale's spam emails also dropped across the same day,
but nowhere near as much as Rustok's did.
Bradley Anstis from M86 Security Labs
gave a talk at Black Hat Conference in 2011,
a few months after this happened,
and here's what he knew about it.
You know, certainly Spamit basically closed its doors overnight in September.
Now, we're still not quite sure why Spamit closed.
We can only guess what it might be, whether they just got embarrassed, got sick of seeing
their name in the press all the time.
You know, their upstream, downstream customers started getting frustrated that they were
continuously getting mentioned. Whatever the reason was was they got abducted by aliens and you can see here the effect
the graph there on the left hand side is the global spam volume now we track this you can
see this all the time in our labs website and you know you can see the overnight impact in
global spam volumes with the closure of just one affiliate program. Igor and Dimitri Stupin had shut down Spamit. They posted a message on the front page of the
Spamit affiliate website. It said the program was attracting too much attention from the wrong
people. And Igor got word that authorities were looking into him after the GlavMed data got leaked.
So he was watching his back. Spamit's top affiliates went into a free fall. For Cosma,
especially with Rustok,
this was really bad for him. He cancelled scheduled spam campaigns and left his bots
sitting idle for further instructions. Cutwhale took a big hit too, but Google had his bots sending
out more than just pharma spam. So Cutwhale did continue sending spam and earning affiliate
commissions from other programs. And he was also getting good money from renting Cutwell out too.
On October 26, Igor's apartment and offices in Moscow were searched by Russian federal authorities.
Igor had fled the country already with his family,
not hanging around to be arrested.
Investigators found three laptops,
seven hard drives, and a handful of flashcards.
Later that day, the Internal Affairs Directorate
of the Central District of Moscow
announced a criminal investigation into Igor.
They charged him with running GlavMed without registration and illegal entrepreneurship.
Investigators added up how much they thought GlavMed made since it started in 2006.
And they concluded the revenue was $120 million.
Internal unrest and bitter rivalry had knocked out the spamming botnets,
who had been enjoying an easy ride off course.
But by 2011, they made a comeback,
switching their affiliate alliance to the rogue online pharmacy programs.
The Russian revenue from these pharmacies was estimated to be $142 million in just 2011 alone.
The email spam volumes had once again climbed back up to astonishing levels.
The time had come once again to start taking these botnets out of operation,
and it was Rustok's turn to be in the firing line.
The preparations to take down Rustok had begun nine months earlier,
right as the online pharmacies started hacking each other and leaking each other's data.
Like with Walidak, Microsoft was once again leading the charge to take down Rustok, and they were coming in hard.
Microsoft, FireEye Security, U.S. law enforcement, and computer scientists from the University of Washington were all working together to take down the Rustok botnet.
Pfizer also came on board. Rustok was pushing internet pharmacies that were ripping off their
products, and they weren't happy about it. Both Microsoft and FireEye had been tracking Rustok,
quietly collecting data on how it's operated and its preparations to destroy it.
FireEye figured out which of RustDoc's 96 CNC servers were acting as the primary server.
They identified 26 to put in their target list.
Most of these servers were located within the U.S., sitting in legitimate ISPs, oblivious to what they were really doing. Julia Wolf and Alex Landstein from FireEye talk about how Rustok laid out its CNC servers in their Black Hat 2011 talk.
All of the CNCs for Rustok were, all but two of them were actually hosted within the United States,
and the other two were hosted in Amsterdam. So they bought a bunch of servers in Scranton
and used that as like a big command and control point, and they bought a bunch of servers in Scranton and used that as a big command and control
point. And they bought a bunch of servers in Kansas City. These places that there's
nothing wrong with Scranton, Pennsylvania, but it's not just that it's not suspicious,
it makes you think that it's completely legit. If you see traffic going to Scranton, you're
like, yeah, that's probably legit. Like, what bad could possibly be going on there? The Microsoft DCU guys, they have this whole department
that's basically set up to, like, bring the hurt to bad guys.
And they kind of approached us and they said,
you know, what do you think not just would be able to be taken down
but is causing a lot of harm to our customers?
And from where we stand, you know, we make a
product that detects malware. RustDoc was like the, not just the most prevalent, but it was
causing like a very easily measurable amount of harm on the internet. So they came to us and they
said, you know, what do you, what do you think? You know, is RustDoc something that you could help
us with? And we said, yeah, you know, absolutely. So they said, you know, what, what do you think? Is RustDoc something that you could help us with? And we said, yeah, absolutely. So they said, what do you think you could provide us some intel on that would help us
both validate what they were seeing and from a third-party security company perspective,
just basically give us your input. So we put together a set of monitoring tools where we
were feeding them all the command and control servers that we were seeing on a daily basis.
So there were a lot of Rust Dock CNC servers that kept this botnet running.
To stop it, they needed to shut down those servers and seize them.
This was so they could be examined forensically for analysis and to provide evidence.
Plus, if the servers got seized, it would be very hard for that botnet to be reactivated again later.
Here's some more on what the plan was behind physically seizing the servers got seized, it would be very hard for that botnet to be reactivated again later. Here's some more on what the plan was behind physically seizing the servers.
They didn't seize the servers as like any sort of punitive damages. They were granted temporary
access to the servers to get any sort of forensic detail that might exist on them so they can go
off the bad guy, right? And that's still ongoing. But certainly if a bad guy doesn't think,
or he thinks the servers are pretty bulletproof,
and these were up for like a year and a half,
so there's a reasonable chance that he thought
that he was pretty well protected,
so he might have made a mistake,
such as connecting directly to it,
like SSHing right to the server,
or leaving things on it, like leaving a code base,
maybe he's compiling something,
leaving code artifacts,
leaving things inside the actual, the server side of the command and control that's never meant to be seen by a
person. You never see that. So that was the idea in going after the hard drives. And then obviously
just kind of a shot across the bow to the criminal himself. The problem with this though, is that not
all ISPs owned all the equipment they used, so it was really complicated to get authorities to seize equipment. So there was only one option. Microsoft used the same tactics to hit
Rustok as they did with Walidak earlier that year. Microsoft filed a lawsuit at the U.S. District
Court in the Western District of Washington. It named 11 John Does as the operator of Rustok,
who they thought were involved with Cosma. Rustok was sending a lot of its spam emails
through Hotmail accounts, and they were sending emails claiming to be from Microsoft or Pfizer.
On top of that, Rustok enabled a heap of users' remote access to Windows clients,
so the infected machines could talk to each other and the core CNC servers. But
you can't do that, because that goes against Microsoft's license agreement.
So the legal team at Microsoft actually used a clause in their trademark act
to give them a legal basis to help with this takedown.
Anyway, so legal counsel at Microsoft,
Richard Bosovich,
came up with this great idea for how to do this.
And there's an interesting clause
in the Lanham Trademark Act
that basically allows anyone who owns a trademark
to seize counterfeit goods.
And so basically the legal argument that was made
was that these CNC servers had spam templates
that claimed to be from Microsoft
or from Pfizer selling Viagra or whatever.
And that's a trademark infringement.
And they're selling counterfeit Viagra and whatnot and stuff like that.
And so basically it's under the jurisdiction of this Trademark Act.
And all of the CNCs are also within the U.S. jurisdiction.
So this still applies.
And there was a lot of victims in the U.S. jurisdiction, so this still applies. And there was a lot of victims
in the U.S. also. And so basically, the jurisdictional requirements have been satisfied
as well. The actual request that Microsoft made is kind of written like this. Basically, it says,
you know, all your servers are belong to us, kind of. And that lawsuit had a solid case, and it worked. Their requests were granted.
So now it was just a matter of getting in and taking down the Rustok servers.
On March 16, 2011, Operation B-107 was launched. 26 individual Rustok CNC servers from five
different hosting providers were seized by U.S. Marshals at exactly the same time across seven
cities in the U.S.
Denver, Dallas, Chicago, Kansas City, Scranton, Seattle, and Columbus. There were two servers
outside the U.S. that were seized. One was in the Netherlands and taken down by the Dutch high-tech
crime unit, and the other was in China. And Rustok domains registered there were blocked with the
help of the Chinese Cybersecurity Technical Center, known as CN-CERT-CC.
Kazma, Rustok's main bot master, had no time to respond.
All around him, server after server was going down.
Now all the infected machines that made up the Rustok botnet suddenly faced silence from the controlling master.
And the security community witnessed a sudden drop in spam traffic coming from Rustok,
but they had no idea why it happened.
Here's Richard Cox, the chief information officer for Spamhaus, talking about when they found out.
One day, we suddenly saw the botnet Rustok disappear from the world stage.
Our first thoughts were our equipment was faulty. After all, we'd never seen that before.
But some cross-checking proved that in fact it wasn't the equipment that was faulty.
The spam coming from the Rustok botnet suddenly went silent.
Silent, that is, but for the silence to be somewhat shattered by shouts of joy worldwide
as people realized that the most significant source of spam on the planet had suddenly ceased spamming.
After the takedown, Microsoft made sure to sinkhole Rustok's main CNC server IP addresses.
Basically, they were intercepting the traffic going to these servers and redirecting it to their own.
This way, they can start to identify machines infected with Rustok.
Within three months of Operation B-107 starting, the million or so Rustok-infected botnets had dropped to around 500,000.
Computer users were slowly claiming their machines back under their control.
The hunt for Cosmo and those who helped him with Rustok was still on. Microsoft offered a $250,000
reward for information leading to the arrest and conviction of Cosma. But that reward still stands.
Cosma still is on the loose. He hasn't been tracked down. Microsoft's legal team, though,
are still looking for him. We're not going to stop until
the people behind these botnets that are affecting our customers and are impacting our platform
get the message that if you target our platform, we will target you.
Now, one thing I really haven't talked much about yet is the bot master's real identities.
The data leaked from GlavMed, SpamIt, and RX
Promotions did give some clues because there was a ton of chat logs on that server, but it's hard
to know for sure. But we do know who Severa was, the bot master behind Walidak. We know who he is
because authorities have confirmed he's a longtime Russian hacker and a spammer called Peter Leveshov,
sometimes known as Peter Severa. He was not just behind the
Walidak botnet either, but the earlier Storm botnet too, and he was the one who created the
Kellehost botnet. That was a massive spamming machine that stole credentials and installed
malware for years before Peter was caught and that botnet was shut down. So where does that
leave us today? Well, the rogue online pharmacies and the spamming botnets that promote them are ongoing
problems even today. Walladak and Rustok are gone, but CutWhale is still going with different
versions, and it's still paired up with the PushDo Trojan. It's just a really persistent botnet.
Both Google and Cosmo have not yet been found or arrested. Microsoft still has a $250,000 reward
for information leading to the arrest of Cosmo, the guy who created the Rustok botnet.
Igor Vishnevsky, the guy who helped Google set up CutWhale,
he seems to be in the win too.
Spamit, the favorite Russian affiliate network, yeah, it's shut down.
GlavMed, though, and RX Partners are still active in selling their knockoff meds.
I don't know who's running them, though.
Igor, the guy who helped create GlavMed and Spamit,
is still on the run, hiding out somewhere. So maybe Dmitry Stupin who's running them, though. Igor, the guy who helped create GlavMed and SpamIt, is still on the run, hiding out somewhere.
So maybe Dimitri Stupin is still running it, since he helped Igor set it up.
And Yuri still might be running RxPartners. I don't know.
Or maybe they've passed it on to some other people at this point.
The FDA sent both of the online pharmacy warning letters
that they were violating the Food, Drug, and Cosmetic Act in the last few years,
but haven't been able to stop them from operating.
GLAVMED got a serious warning.
Apparently, some of the drugs they were selling contained ingredients
that gave people serious side effects, which could be fatal.
Which doesn't surprise me.
When you ingest medicine from a fake online pharmacy,
who knows what you're putting in your body.
And RxPartners just this year had been trying to cash in on the COVID pandemic.
Some of their websites were found offering prescription-only drugs they claimed to be treatments for the virus.
The sell was a heap of false information about COVID to play on people's fear and to push them into buy out of hope and desperation.
Preying on sick people with no actual solution to their illness?
Ugh, what scoundrels. Their goal was money, plain and simple, and they were
happy to exploit the most vulnerable people to get as much of it as they could. Igor and Pavel
basically destroyed each other with their rivalry and feuding, which was good for getting rid of
some of the dodgy online pharmacy partnerships that were going on. Pavel, the guy who helped
start Chronopay, used some botnets to attack a Chronopay rival in 2013.
After he did that, he was caught and arrested
and spent a year in prison.
These rogue online pharmacies are just mega dangerous.
If you're going to order your meds online,
make sure to check the pharmacy first.
Make sure the medicine is real and from a trusted source.
You don't want to put junk into your body
that isn't regulated or safe. The spamming botnets and botmasters are going to keep going as long as
this thing makes money, which makes this a game of cat and mouse that seems never-ending. But the
good guys are fighting back, and they'll keep fighting to love the Darknet Diaries shop.
There are over 50 original, unique t-shirt designs.
You've got to check out this artwork.
People are loving it, and I'm sure you're going to find a design that you'll love too.
Visit shop.darknetdiaries.com.
This show is made by me, your friendly firewall admin, Jack Recider.
This episode was written by the crime traveler, Fiona Guy.
Sound design and original music was by Garrett Tiedemann,
who makes some really cool music that you should check out.
Go to synarpictures.com and click the music to hear it.
That's C-Y-N-A-R pictures.com.
Editing helped this episode by the cat herder, Damien.
And our theme music is by the beat farmer, Breakmaster Cylinder. And even though I think a rubber mallet is a perfectly good hardware troubleshooting tool, this is Dark Knight Diaries. We'll see you next time.