Wednesday, December 6, 2006

On the subject of Alex Polyakov

This is going to be long so bear with me.

Alex Poloyakov. Here's a guy I think pretty much everybody who uses the internet on a daily basis should despise very deeply.

I personally question whether that's even his real name. But that's the one that most spam trackers out there have somehow discovered (no idea how) and so it's the one I'll use to refer to him. Well: that and other names of my own devising ("asshole" springs immediately to mind.)

Let's start with the basics. I'll rely on SpamHaus since they are without question the leading authority on spammers.

Spamhaus maintains a list of all the known spammer identities in the world. The really bad ones make their so-called "ROKSO" list (note: many people mis-spell or mis-pronounce that term as "ROSKO". That is incorrect.) It stands for the "The Register of Known Spam Operations" and it even has its own top 10 list:

The list is based on individuals, who spam, which results in complaints, and getting kicked off at least three (3) - or more! - ISP hosts. To get kicked off an isp for spamming: there has to be some pretty solid evidence. It usually takes weeks to months of evidence gathering due to the legalities of relationships between ISP's and their users. To get kicked off of THREE ISP'S?! You'd have to be an unapologetic asshole, spamming day and night, and not care that people find out about it. That's what this lists consists of: people like that.

As I write this, Alex Polyakov is still right at #1:

Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov

Congratulations, Alex, you stupid moron spammer. He's been #1 for several months now. His competitor, Leo Kuvayev / BadCow (currently #2) was #1 for almost four full years. That's some tough competition.

So what can we discover about this charming individual? I'll go point form and it will be based mostly on evidence from SpamHaus.

  • He's based in Ukraine, but apparently lives somewhere in North America.

  • Alex Polyakov may not be his real name (duh)

  • He may be part of the Pavka/Artofit and Leo Kuvayev spam gangs

  • He is definitely a part of the Yambo Financials spam gang, responsible for the My Canadian Pharmacy umbrella of websites (some 14 different types of sites, all hosted on hijacked unix machines.)

  • He somehow has ties to a group known as Regpay, an international child pornography ring which was busted in January of 2004. Many people investigating his activities assume that he helped with technical infrastructure.

  • He spams using botnets, for websites which are hosted on hijacked computers which he does not own.

  • His operation is responsible for a great deal of the trojans, viruses and worms which have been created for the Windows operating system.

  • He is responsible for numerous phishing attempts posing as a variety of job offer scams in Australia in September of 2005.

  • Some people believe he is the one responsible for DDOS-ing Blue Security in May of 2006. (calling himself "PharmaMaster".)

  • He's run several businesses and even been quite public about their operation. Examples include Jungle Ventures (his role: CEO) and Pilot Holding (Owner and Operator.)

Wow. What a charmer! Child porn! Illegal pharmaceuticals! Viruses! Just sounds like an awesome guy doesn't he?

My main focus has been on investigating the My Canadian Pharmacy sites. You've probably seen them. You've DEFINITELY gotten mail from them. All of these sites claim to sell pharmaceuticals but many in law enforcement believe they are actually identity theft operations, as nobody has ever received a single product upon ordering from them.

A colleague of mine has posted a fairly indepth website of his own which documents a great deal of their operation:

Technical earmarks of these sites:

Thousands of new domains registered each day, automatically, all unpronounceable, all using other similar domains as their DNS
Domains, once spammed, have randomized suffixes and randomized URI numeric parameters. An example:
Website itself is always hosted on a hijacked unix machine's IP address. Said unix machine usually has an extremely obvious root password (most commonly "root", "r00t", "password", "123", "1223456". Dude: DO NOT set your root password to something that obvious!)
That same ip can often also be the DNS server. That or it's hosted on yet another hijacked unix server.
Images for the website are always (or at least: whenever possible) hosted on yet another hijacked unix server.

Pretty complex. Lots of targets to go after. All traffic is mirrored from a "top-level" ip address actually owned and operated by the spam operation. Nobody knows what one of those are because the exploit that runs on the hijacked machines resides in RAM only. No actual files exist on the hijacked machine. It acts as a "traffic proxy" (my term) presenting pages from the top level server, through the hijacked machine, through to the user's web browser. Post an order? Reverse that stream. Images also originate on some other top-level server.

The sites themselves offer up what must be the biggest pack of lies I've certainly ever seen. They claim that you are ordering securely. That's bullshit. No SSL, no third party SSL, no encryption of any sort. Liars! They claim that they are "Listed at Better Business Bureau","Verified by Visa", are a "Verisign Secure Site", have "CIPA Certification" and are "Top Rated by Pharmacy Checker". I am now regularly in touch with all of the organizations these sites list and I can tell you for a fact: every single word is a lie. Do a search for My Canadian Pharmacy on the BBB website and you get the following:

"Based on BBB files, this company has an unsatisfactory record with the Bureau due to its failure to discontinue the use of the BBB's federally registered trademark when demands have been made to do so."

They're listed alright. Just not in the way they want consumers to think that they are.

What got me interested in tracking down their operations was the sheer volume of spam I was receiving - often 40 or more messages per day to one address - as well as the high number of registered domains. Is everyone at the authorized registrars falling asleep on the job or something? When someone registers a few thousand domains per day, all using 100% fake data, don't you think someone would notice that? Don't you think that kind of traffic should be monitored?

Then I started examining their image hosts. At the time I first started examining them, they were constantly using geocities domains. After I reported a few hundred of those per week to Geocities abuse team (very fast acting people I might add) they switched to Yahoo small business domains. They'd register thousands of THOSE every day and use them specifically for image hosting only. I reported all of those as well. Then they started using raw IP addresses. They clearly had no intention of ever stopping spamming people who didn't want to hear about this crap in the first place.

I began creating retaliation forms to seed their order forms with fake data. At first I tried just purely random characters for all fields. That didn't work so I tried "normalized" but random names from a small subset. That worked but they would not accept random data for the credit card. So I discovered a formula to generate a number that would pass what's called a "mod 10" check (used by very rinky forms to validate the format of a credit card number only.)


I got in a couple of orders, then suddenly the site wouldn't load anymore. Well that was fast. :)

Switching IP addresses on my end brought it back. So they ban after even one measly bad order. Nice.

I began investigating each of the domains after a few colleagues discovered that they were hosted on easily hijacked unix computers. Let me tell you: there are literally thousands of unix servers out there whose root password is able to login remotely (the first huge mistake, never allow that to happen people) and the root password is so easy to guess my cat could have done so. Most of the time these servers were hosted within either univeristy networks located throughout Asia and Europe, or hobbyist RedHat systems around the world. Occasionally, one or two of these servers were located in the continental US.

I continue to report every single hijacked unix machine I find in the hopes that one of them will monitor the activities of the infections which have been placed there by these criminals. Unfortunately my own ability to monitor them has been somewhat diminished because of course: they're on to me. :) But I'm only one guy out of literally hundreds monitoring these hijacks. Believe me: eyes are still on it. If you're reading this, and you run or maintain a unix server of any sort: change your stupid root password! Secure your machine! I can't believe the stupidity of some users out there. And it's never just one or two of them, it's hundreds! Lock down your root password now.

I'll continue to add to the info on this idiot spammer as I find it. I would hope that somebody out there knows this jackass and would be more than happy to turn him in. He deserves to rot in jail for life just for the child pornography alone. Add in everything else he's responsible for and I think it's safe to say that this guy is a menace to international society.

And Alex if you're reading this: we all hate you, and we wish you would kill yourself immediately.

Thanx for reading (if you did.)


No comments: