Wednesday, February 24, 2010

China, Certainly, But What About Russia and Ukraine?

Yes it's been a while. I've been busy. :)

I wanted to post a few quick thoughts on the whole Google vs. China situation.

As most of you have no doubt read, Google very publicly announced that it was the subject of a number of coordinated attacks from Chinese-hosted sources. Google and the international news media have very much raised the focus of the ongoing attacks on behalf of Chinese IP addresses, and this has raised numerous questions about China and its government's involvement in these attacks. I reserve judgement on the particular topic of whether members of the actual government of China had direct involvement or not. [For those of you who have missed all of this, there are dozens of articles out there, but this one should be a good starting point.]

In recent weeks, the investigation into the Chinese attacks have led to two specific universities being involved directly in the attacks against Google and other corporate entities [source], and further led to the discovery of the author of a significant portion of the malware used in the attacks against Google, who did in fact turn out to be Chinese. [source]

All of this got me thinking: why hasn't the same bright light also been shone upon Russia, Ukraine and Eastern Europe, since - together with China - they constitute the majority of all attacks against all servers worldwide on a daily basis? This is not merely my opinion. Do any amount of research into botnets and criminal online operations, and Russia especially shows up most frequently, with Ukraine and China not very far behind. Off the top of my head there are at least a dozen very well-renowned cybercriminal bloggers and security researchers which echo this assessment, and all of them appear to just mention it in a manner which implies this is nothing special.

This past weekend, CNN engaged in mock coverage of a cyber "war", using the title "Cyber Shockwave", and using the subtitle "We were warned", with the intention of underscoring that cyber criminal activity is "serious business", and focusing on the potential for a country's electricity grid, oil pipelines and other infrastructure to be rendered inoperative. [Some coverage of this.]

Many respected contributors participated in this multi-hour examination of what a cyber attack could result in in terms of damage to a country, but nobody at any point mentioned that as we speak there are thousands of attacks taking place against ordinary websites every single day, with the hopes of taking them over so that criminals located in Russia, Ukraine and China can continue to profit via black market fake pharmaceutical products.

A piece of rampant malware named Zeus bot, also known as Zbot, which solely exists to capture banking information, has been a tool used to illegally withdraw money from the bank accounts of several small businesses in the US, and subsequent money transfers to individuals located in Russia and Ukraine, on a daily or weekly basis. This continues to have a devastating effect on numerous banks and small companies as well as school boards and other municipal govenment entities in the US. Brian Krebs has nearly single-handedly been reporting this since at least June of last year. [source, source, source, source and source.] Nobody goes after these people. Why not?

A few points I'd like to add to each of these, lest we continue to refer to spam as being "merely annoying":

  • The Zeus bot malware was very often executed by individuals who received it as an attachment to a piece of spam.
  • The money mules hired by the Russian criminals to participate in the receipt of the money stolen from these businesses were recruited via spam messages claiming to represent fake financial "processing companies".
  • The majority of hijacked servers and home PC's are used in one way or another to support the sending of spam, the hosting of sites promoted via spam, or the deeper infrastructure to obscure the location of sites promoted via spam messages.

I submit to you that email spam is far more than a "mere annoyance": it's a very broad and obvious signal leading to much deeper and more insidious criminal activity should the recipient care to do any digging.

The #1 spamming operation in the world today, by any measure, is Russia-based Spamit and Glavmed, and the ties between this affiliate program and numerous types of malware, identity theft, fast-flux hosting on hijacked Windows PC's, hacking and takeover of pulic websites on a variety of platforms, and probably more that we aren't aware of, takes place every single day. This is a criminal organization and there have been many reports which draw the conclusion that a high-ranking Russian government official has ties to it. Nobody does anything about this. Why not?

"Discount Pharmacy" is another criminal online pharmacy operation, this time alleged to be tied to one Vincent Chan [source]. It's been in operation since 2004 (six years now!) and it remains profitable, because again this operation relies on hosting provided by hacked and compromised windows server operating systems, predominantly located in the US. The profits from this operation siphon their way to both china and Russia. Nobody has bothered to investigate this operation despite the fact that (so far) they have taken over several thousand windows server systems. Why not?, later known as and currently still operating under an unknown moniker, continues to spam bogus pharmacies like "My Canadian Pharmacy" and "Canadian Health&Care Mall". Their sites, DNS and image hosting are all provided by hacked and compromised Unix, Linux and FreeBSD servers, using a custom compromise which I first described in great detail in 2006 [link]. Not one law enforcement agency has investigated this operation, despite the fact that several of their operators are US-based, and a significant number of these hijacked unix servers have also been US-based. As usual, both Russia and Ukraine feature highly in this operation. Nobody has gone after them. Why not?

You can see the pattern here.

I began my research primarily into spamming operations because spamming was an annoying problem which it was obvious that law enforcement and other agencies simply don't take seriously because it is so pervasive. My tactics have greatly modified over the years to focus more on the purely criminal elements of these spamming operations, and my research has lead where most other cybercriminal researchers have ended up: spam is merely the annoyance. Peer deeper and we see a litany of persistent criminal activity on an international scale, and it's not merely my research which bears this out. Look at the research of most malware investigators, from M86 to SecureWorks, to F-Secure, to PandaLabs, to MacAffee, to Sophos, to Brian Krebs and the Wall Street Journal. All of them started from the other side of the equation: malware, botnets, command and control and money laundering, inevitably resulting in the discovery of "Canadian Pharmacy" spam of one sort or another being sent. This is usually seen as a side-effect. The true criminality from the perspective of malware and botnet investigators is that someone is running the botnet and that it is predominantly criminal. The side effect is always: oh by the way they also send spam on behalf of Spamit and Glavmed, or

It took Google to raise the issue of Chinese attacks against servers and other infrastructure, but only because they hinted that the Chinese Government might have a hand in this. I want to re-re-re-raise the following issue, because I believe it to be related, and at least as important as the statments and investigations that Google has been making regarding China:

China, in tandem with Russia and Ukraine, is the source of consistent, large-scale attacks against perhaps thousands of servers of every sort, every day, hundreds to thousands of times per day, for the purposes of taking these servers over, so that they may be used as all manner of infrastructure to support the serving of fake pharmacy websites, which profit criminal spam operations located in those countries.

They have all collectively been doing this consistently for at least 5 years now.

No law enforcement agency in any country has taken a single notice of this, nor have they begun any large scale investigations into these operations despite my notification of this activity, and despite the research of dozens of other respected malware, botnet and security investigators.

I have to ask, since we're in to the second year of those financial attacks, and beginning year six of the other myriad criminal compromises of public web infrastructure: what will it take for law enforcement, and more importantly our governments, to bring Russia, Ukraine and China to task for their continued lack of attention to this criminality?

I have to ask, because so far the likes of CNN are willfully ignoring this fact. The average cyber criminal relies on profit to continue performing these persistent attacks. The only reason one of these criminals would actively go after a power station is if they were out to swindle one of their accounting personnel into sending them money. They're doing this right now to less obvious targets. Wake up.

SiL / IKS / concerned citizen