 Ryan Singel from Wired.com outted Pfizer yesterday in a great article based on Support Intelligence data. The article highlights the ongoing security difficulties at the pharmaceutical giant despite our efforts to inform them of the situation over the past few months. And if I wasn't crying about how bad things are I'd be laughing because frequently the spam their bots send touts illegitimate knock-offs of their own flagship product, Viagra. The spam also promotes black-market versions of Cialis produced by competitor Eli Lilly, and Levitra by Bayer. Ruh roh. The good news for Pfizer is the makers of "Mandik", another spammed pharmaceutical coming out of their servers, are unlikely to sue anybody any time soon. Phew. On a more serious note - we've received spam from an absolute heap of Pfizer addresses, along with everyone else. In total 138 separate Pfizer IP addresses have turned up on various black lists. Holy cow Houston! This isn't a single employee surfing warez and getting infected - this is a serious breakdown of systemic control over their corporate network. The unfortunate bit about all this is the company was informed of the scope of the problem back in early April - over five months ago. It's hard to imagine that as an industry of security professionals we can't do better than this.
Spread the word:
 Bookmark it!
 Digg it!
 Related
 This week we've got a double-header for you - first read about Support Intelligence on BBC News, then read about the security issues at the BBC we've observed. The article, written by Mark Ward, highlights the message we've been bringing home in this blog - Corporations have a Bot Problem. The article relies on us as well as Tim Eades of the security firm Sana, and Alex Raistrick of Con Sentry in outlining the problem with infected PC's. All in all it should be familiar stuff to the readers of this blog, but we're happy to see the message continuing to echo farther and farther afield. The next best thing about our conversation with Mark Ward was the opportunity if afforded us to tell someone at the BBC about the security problems on their network. And I must say, they took it quite in stride. Fortunately the problems were fairly benign. We began tracking the BBC in late February and started receiving spam from them almost immediately on a nearly daily basis for several months in a row. All the spam flowed through: 212.58.224.18, mail0.thdo.bbc.co.uk, which is the same mail server that provides the "Email a friend" facilty on the BBC's main website http://www.bbc.co.uk. This is a separate mailserver than the one that outbound BBC employee mail comes from, or that delivers Radio 4 newsletters and such. All the spam showed received headers from BBC webservers internal facing addresses such as www3-mgt.thny.bbc.co.uk - 192.168.208.33 and www15-mgt.thdo.bbc.co.uk 192.168.201.115. Were these bots at work on the BBC network? Possibly. A much more likely explanation however is an insecure script on one or two of their webservers allowing them to proxy mail which the spammers identified. Possibly a cross-site scripting vulnerability or sql injection attack. Whatever the case, the good news is the BBC folks apparently nabbed it - all malicious activity stopped dead on the 23rd of May, prior, in fact to our notification. Hats off the the BBC security team for plugging the hole and stopping their flow of spam. See - sometimes these stories do have a happy ending.
Spread the word:
Bookmark it!
Digg it!
Related
 Golly, now it's getting personal. IndymacBank isn't just a lending giant with $1.34 billion in revenue - they also hold the mortgage to my house. And in addition to my monthly payment reminder in May, this month they also sent over a little something extra:  Gosh, and all this time I thought they only cared about the size of my check. Who knew? But should we blog about them we asked ourselves? This particular run lasted only 44 minutes, on the 21st of May. And prior to that Indymac was clean for 80 days - not a single sign of bot activity. Could be a sign of an excellent effort. But... wait, this wasn't the only incident - we spotted a second occurrence on the 1st of March which blasted stock spam for 1 hour 16 minutes, and a third on February 27th pumping pharmaceuticals and stocks for a similarly brief amount of time. So what gives? All this garbage came from a single IP address: 65.214.149.253, routed by ASN 19347, and showing no reverse DNS. We get a fair amount of marketing mail from Indymac via 63.251.196.251, obb.indymacbank.com, and other mail from 70.42.8.249, smtpout002.indymacbank.com, but never anything bot related and both look like completely legitimate senders. So, as the guy with his personal information at this bank, including my social security number, income details, and event the square footage of my bathroom, It bothers me that some unknown host on their corporate network is controlled by a third party over which they exert no legal or operational control.And though I'm hoping that what this evidence shows is a very diligent sec-ops team hard at work shutting down the bots as soon as they pop up, my concern is I have no idea if that's really the case. Is this a single host that's been hacked since February 27th, possibly datamining, and password sniffing the whole time? Or is this three separate incidents, each of which was stamped out within an hour or so? Even if this best case scenario is true - how do I know these systems weren't hacked long before they ever started spewing spam? How do I know I'm safe if they can't even stop themselves from sending out photos of smiling young ladies touting two foot phalli? Does it get anymore outrageous? People - this is a bank. Think about it... But what's the point? Is it that Indymac are bad guys? No. Is it that the internet is a scarry place? Sort of. Is it that I need to be concerned about my personally identifiable information. Absolutely. The whole point of this blog is to raise awareness about the Botwar going on - a war raging around us as we speak. We can smile and laugh about penis spam, but the fact is that millions of carjacked computers, controlled by criminal third parties are doing god knows what 24/7, inside our homes, our hospitals, our government offices, our corporations, and even inside our banks. And in this case, inside my bank. Our goal is not to make these hard working sec-ops folks look bad, but instead to help raise awareness with their CIO's, CEO's, and even the general public, so they can get the funding and support they need to fight this problem. It's raging around us. It's a predatory criminal activity making victims of many organizations. We can stick our heads in the sand or we can fight it. So corporate American CIOs - Which are you gonna do? CustName: INDYMAC Address: 155 North Lake Ave City: Pasadena StateProv: CA PostalCode: 91101 Country: US RegDate: 2006-01-13 Updated: 2006-01-13 NetRange: 65.214.149.0 - 65.214.149.255 CIDR: 65.214.149.0/24 NetName: UU-65-214-149-D6 NetHandle: NET-65-214-149-0-1 Parent: NET-65-192-0-0-1 NetType: Reassigned Comment: Addresses within this block are non-portable. RegDate: 2006-01-13 Updated: 2006-01-13
Spread the word:
Bookmark it!
Digg it!
Related
 Question: Do bots affect high tech companies too? Answer: Yes, even high tech companies fall prey to these crimes. Today we have Intel squirting out botspam with the best of 'em, in a very recent infection somewhere on their network. A trio of IP addresses, all with no reverse DNS, have been firing off stock pump and dump, viagra, and home loan spam the past few days - the first of this run being spotted on April 29th. 192.55.60.93 134.191.248.4 134.191.248.1 All are routed via origin AS 4983 INTEL-SC-AS - Intel Corporation - the first being domestic, and the later two routing to approximately Haifa, Israel. Previously we'd spotted 192.102.209.12 shooting out Cialis spam back on April 21st, but the good folks at Intel shut it down within half a day - so hardly worth mentioning. But this run seems to have lasted 8 or 9 days since inception (with nothing in the past 24 hours, so hopefully they've nailed it already). My favorite piece of garbage sent from this batch of Intel spam brought the following title - Subject: Gimme your thoughts on this  Indeed, gimme your thoughts...
Spread the word:
Bookmark it!
Digg it!
Related
 So, it looks like banks, insurance companies, publishers, manufacturers, and retailers all have problems with bots. But do airlines have problems with bots? You betcha. On April 7th, something at ATA Airlines changed. Out of previous total silence, spam started arriving in our traps from ATA. It was clearly botspam, this time pushing Humet PBC, which trades as L9Z.F on the Frankfurt Stock Exchange. According to the good folks at Spamnation, this was part of a two part run between March 31st, and April 19th perpetrated on this stock. All the spam from ATA touting the stock came from a single IP address: 205.245.253.165 - h-253-165.iflyata.com. The spam was nearly identical, 100% of it touted the same company, and the run itself lasted three days, peaking in the middle. Then poof - radio silence again. Until the 28th of April that is when stock spam started arriving in our traps from ATA a second time. This run came from a different IP address: 205.245.253.225, resolving to h-253-225.iflyata.com. Again, the spam uniformly pumped a single stock - Electronic Koursewar - EKII.PK -, which was part of a much larger, distributed spam run, used forged received headers ( some from unrouted IANA space) , and mysteriously disappeared after three days. Did ATA catch the problem and shut it down? We sure hope so. Out of the 10 weeks we've been watching ATA, they've sent spam on only six days, so hopefully this is a sign of a vigilant, if not perfect, security regimen. Will the problem spring back up a third time? Were these systems also key-logging? Is there a drop file somewhere with other information in it? Impossible for us to say, but someone has to ask the question. Neither of the IP addresses delivering the botspam to us delivered a single piece of legitimate mail, and neither appear to be regular mail transfer agents - so what are they? And if the IT security of civilian airlines isn't enough to get your attention, don't forget, ATA is also a big time carrier for the U.S. military, operating charter missions around the globe everyday. And so, the bots rampage on... 
Spread the word:
Bookmark it!
Digg it!
Related
 We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:  The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII which is down 9% as of Monday evening. Senderbase.com lists 155.188.254.1 as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS. The main question is if any of Nationwide's consumer data was compromised. We believe that 155.188.254.1 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT. Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection. When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows: - We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
- We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
- AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.
Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.
From the points above we conclude that the Nationwide Insurance network blocks were not hijacked in any way; and that several machines internal to their network have been compromised to send SPAM to the greater population of Internet users. Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems. We're of course ready to share information with Nationwide to help track the problem down and get it stopped.
OrgName: Nationwide Mutual Insurance Company
OrgID: NMI-20
Address: One Nationwide Plaza
City: Columbus
StateProv: OH
PostalCode: 43215
Country: US
NetRange: 155.188.0.0 - 155.188.255.255
CIDR: 155.188.0.0/16
NetName: NATE
NetHandle: NET-155-188-0-0-1
Parent: NET-155-0-0-0-0
NetType: Direct Assignment
NameServer: NNS1.NATIONWIDE.COM
NameServer: NNS2.NATIONWIDE.COM
Comment:
RegDate: 1991-11-21
Updated: 2006-08-03
OrgTechHandle: CLW-ARIN
OrgTechName: West, Cher L.
OrgTechPhone: +1-614-249-8631
OrgTechEmail: westc1@nationwide.com
------- ASN Deligation ------
OrgName: Nationwide Services, Inc
OrgID: NATION-354
Address: ONE NATIONWIDE PLAZA
Address: M.S. 1-05-31
City: COLUMBUS
StateProv: OH
PostalCode: 43215
Country: US
ASNumber: 26578
ASName: NATIONWIDEASN2
ASHandle: AS26578
Comment:
RegDate: 2002-10-21
Updated: 2002-10-21
RTechHandle: CLW-ARIN
RTechName: West, Cher L.
RTechPhone: +1-614-249-8631
RTechEmail: westc1@nationwide.com
Spread the word:
Bookmark it!
Digg it!
Related
 We started our tracking project for Affiliated Computer Services on March 10th. It took about a week to catch our first spam from this company which does BPO for numerous corporate clients. On the 18th we received an offer soliciting Russian Lovers from 63.87.170.71 better known as pat.acs-inc.com. This single machine sent us 96 additional spams over the next few weeks. The flow began as image spam touting various pharmaceuticals and masculine enlargement techniques. Eventually the content changed to Hooudia diet supplements and OEM Software. It wasn't until the 23rd of March that 63.87.170.71 really started to spew however. This address then delivered us another 174 spam on similar topics plus a stock pump-n-dump pushing CWDT.OB (yahoo charts)The interesting thing is that during the time the Affiliated Computer Services computers were filling your and my inboxes with stock spam, the stock for CWDT did actually swing back and forth. There has been a fair amount of research into stock touting and its apparent effectiveness. Meaning that the spam emitting from Affiliated Computer Services might have played a role in some investor loosing their shirt purchasing CWTD. For more information on stock spam touting see Spam Works: Evidence from Stock Touts and Corresponding Market Activity.These two ip addresses continued to spew until the 16th of April. All in all we received almost 300 SPAM/UCE from ACS. Between the Stock spam or the genital enlargement it's hard to say which is most bothersome.
Spread the word:
Bookmark it!
Digg it!
Related
 Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries. As the story goes, on March 29th we began receiving botspam messages from 198.179.227.25 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to: Icek Pankovich Sos. Mihai Bravu,No. 5 Bl. 4, Entr. 4, Apt. 9 Bucuresti, Sector 2 76101 Romania +040.0212516407 +040.0212516407 icek_pankovich@yahoo.com The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable. Name Server: ns1.nopadvene.com Name Server: ns2.razovinag.com Name Server: ns1.thefeminine.net The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province. Address: 222.173.251.30 So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone? Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 152.160.1.28 which is routed by AS4595 (ICNET). It's odd that the machine at 198.179.227.25 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo! As for the legitimate Borders mail, it comes from 198.179.227.40 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down. This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly. We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.
X-SENDER-IP: 198.179.227.25
X-HELO: bordersgroupinc.com
X-UUID: 9d9baf6b-f6aa-4261-9d50-598887d541ff
X-ECP: BordersGroup
Return-Path: <sociologistsoot's@partyallnight.net>
Received: from 66.196.126.37 (HELO mx5.biz.mail.yahoo.com)
by locaos.com with esmtp (20Q,WW067.4I )HQ8)
id 5.0GBD-IAQ'IF-,2
for rry563@locaos.com; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
To:
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
Message-ID: <01c7720a$1c87cdd0$6c822ecf@sociologistsoot's>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C771E8.95762DD0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: Aca6QO.5147K'S79Y8@PLZ,WW?9U5R==
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C771E8.95762DD0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.
Hope that you will find the information provided useful.Please click here
for more information.
With Best Regards, Denis Denton
USDrugs B.V.
URLS REMOVED
Whois for the IP address that sent us the lovely request to look for new meddications
OrgName: Borders, Inc.
OrgID: BORDER-4
Address: 54 S. State Road
City: Ann Arbor
StateProv: MI
PostalCode: 48109
Country: US
NetRange: 198.179.225.0 - 198.179.228.255
CIDR: 198.179.225.0/24, 198.179.226.0/23, 198.179.228.0/24
NetName: NETBLK-BORDERS
NetHandle: NET-198-179-225-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.WCOM.NET
NameServer: NS3.WCOM.NET
NameServer: NS2.WCOM.NET
Comment:
RegDate: 1993-11-04
Updated: 2001-10-01
Spread the word:
Bookmark it!
Digg it!
Related
 In our effort to bring attention to the facts that many corporations unknowingly send SPAM we bring you an analysis of Clear Channel. Every day we receive many legitimate emails from Clear Channel touting radio and TV stations with titles like Newsradio 850, KOA Traffic Alert or Free Money - Free Trips as well as loads of concert updates for every major metropolitan area of the United States. Back in March, we started getting titles like Best Prices on Medication mixed in with our KOA Traffic Alerts. We first noticed image based Pharmaceutical spam from 207.230.140.240 on 03/12/2007 advocating Viagra and HGH. Similar spam arrived from another Clear Channel address, 62.190.150.183, this time from Europe. These compromised machines appear to have been cleaned up as we haven't see anything from them for nearly 2 weeks. On March 29 th however, we noticed 62.190.150.183 pumping Pharma spam with 207.230.140.240 joining in just a few minutes later. This particular infection ran much longer. These two addresses were responsible for delivering some 212 spam email to our traps. Then around April 4 th we received Mortgage spam notifying us of our load acceptance for $396,000 - we just need to click here.On April 10 th, 207.230.140.240 stared sending us OEM spam pushing Adobe and Microsoft products. In summary it looks as though Clear Channel has a continuing problem with infected computers pumping SPAM advocating Illegal Pharmacies, Unlicensed Software, and Identity Theft. It's not that Clear Channel is different from Intel, Best Buy, or Bank of America. All these companies have had botnet activity on their networks in the last 30 days. The point is that a great many companies have been hit by these problems. The differentiator is whether a company cares, what they do about the problem, and how fast they clean it up. Nobody expects security to be flawless - but our internet shouldn't be Unsafe at Any Speed, and especially not from organizations that have the resources available to address the problems - Once Awareness of the Problem Exists - hence our blog and DOA list. FYI, Clear Channel delivered over 2,000 emails to our traps in under 45 days - only 10% of which was botnet SPAM. But it's that 10% that's making our internet an unsafe place to be. The question is - what are you going to do about it? OrgName: Clear Channel Communications
OrgID: CCC-111
Address: Clear Channel Worldwide
Address: 20880 Stone Oak Parkway
City: San Antonio
StateProv: TX
PostalCode: 78258
Country: US
NetRange: 207.230.128.0 - 207.230.159.255
CIDR: 207.230.128.0/19
Spread the word:
Bookmark it!
Digg it!
Related
Bank of AmericaWe had to wait for this one to settle down a bit before we brought it out in the open. We track many of the major Banks in the USA. Today we review a week of SPAM from Bank Of America. We have observed many months of good behavior from BofA but starting on April 2, 2007 a lone system named system6.bofasecurities.com [63.80.4.6] got infected with something nasty. The situation lasted until the evening of April 6th. During this time we collected 226 SPAM. Support Intelligence wasn't the only place that noticed this box spew, System6 was blacklisted by CBL, TQM 3, and UCEProtect. We also note that this same system has been blacklisted by SpamHaus before on 2006-12-31 and 2007-03-30. None of the Spam we collect from System6 had any Received headers so we believe all the mail to have originated from hosts outside of Bank of America, probably via socks proxy - so lets be clear that this appears to be a casual penetration of [our attorney has encouraged us to leave this space blank]On April 9th a new system popped up, host-63-117-180-6.eprimebroker.com [63.117.180.6] which is routed by AS 19438 ( PRIME-BROKERAGE - Bank of America ). This host primarly unloaded OEM software spam. It appears that the folks at ePrimeBroker are on top of it as this host only got 4 spam into our traps before being shut down. The 4 spam from ePrimeBroker all arrived within 90 minutes of each other, and we have not detected a new spam since April 9th . During its prime it was blacklisted by CBL and SpamHaus, while SenderBase showed a 316% increase in its SMTP traffic. With 9 weeks of analysis that shows no indication of bots I'd say BofA did a great job up until our 10th week of observation when they had a two separate infestations. The good news is at least on was noticed and shut down quickly. Bank of America will get infected again and we'll bring you a timely report of it.
Spread the word:
Bookmark it!
Digg it!
Related
 at 4:07pm PDT today we received yet another spam from Conseco, specifically the webserver at 205.144.127.10 which has sent our traps some 296 SPAM in the last 30 days. Today it was Viagra links, yesterday HGH and OEM software, the day before -- image spam. The week of March 12th brought us some Tranny pornography with titles like Beusty Wkoman Srucks BIGFCOCK & Taitty Fjuck In Piool and Cjlassy Tdanned SHYEMALE Balowjob & Djoggystyle Feuck. Several of the lovely notes from the server at 205.144.127.10 had Received: headers. The following machines apparently proxied 6 of the 296 transactions through it. - Received: from 65.112.18.68 (HELO mrclean.mnimaging.com)
- Received: from 208.180.123.23 (HELO mail.ftwoods.com)
- Received: from 62.249.192.203 (HELO mx1.freeola.net)
- Received: from 212.14.64.180 (HELO mail.ijb.de)
- Received: from 217.12.160.3 (HELO smtp.yepa.com)
- Received: from 64.71.166.217 (HELO sesmail-com-bk.mr.outblaze.com)
The forward and reverse for these hosts do seem to match up, and none are listed on any DNS RBL that we know of. The only oddity is that the FQDN matches the forward ip address and some reverses don't match the FQDN but are close enough. This isn't how SMTP servers work though. With Nmap reporting all the ports on 205.144.127.10 as closed, I'm confused how other servers could proxy any of the SPAM through 205.144.127.10. therefore I'm going to call the headers in the 6 aparently proxied transactions as forged. My best guess is that the host is a decommissioned web server for conseco.com as the reverse DNS points to conseco.com however the forward DNS for conseco.com as an A record of 205.144.125.110. Since these are different and 205.144.125.110 has the reverse for 10 or so other names I can imagine a transition that just left the old conseco.com. web server out dangling. This server has been infected for over a month and sits on the same /24 that all of the other main company resources reside on. We will come back and review this one again in a week or so and see of anyone has cleaned it up.
Spread the word:
Bookmark it!
Digg it!
Related
 We started watching Toshiba's network on Feb 23 2007. Since that very day one host has shone above the others, spewing every variety of spam. The host [12.145.34.103] has activity sent spam dating back as far as July 17th 2006. It has been listed on CBL, SpamHaus, TQMcube, UCEProtect, and WPBL. All in all it was listed some 105 times for sending SPAM/UCE in the last 9 months. Every spam we captured from the host used a different HELO in the SMTP transaction to deliver mail to our traps. There were no Received headers Of the 716 spam we have received from this one host, we collected stock touts for WSDC.PK (up big!) and CDYV.PK up a hefty 25% today, CCTI.PK (ouch, down almost 100% from its high) and SPSY.PK. There were also Rolex Watch and other Trademark/Brand SPAM. I don't buy the nmap analysis below but I thought it interesting enough to include. This device is determined by nmap to be a Cisco load balancer. We are constantly surprised.
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-17 20:51 PDT
Interesting ports on 12.145.34.103:
Not shown: 1681 closed ports
PORT STATE SERVICE
178/tcp filtered nextstep
605/tcp filtered unknown
654/tcp filtered unknown
1076/tcp filtered sns_credit
5050/tcp filtered mmcc
5101/tcp filtered admdog
5190/tcp filtered aol
5192/tcp filtered aol-2
5193/tcp filtered aol-3
5510/tcp filtered secureidprop
5520/tcp filtered sdlog
5530/tcp filtered sdserv
5540/tcp filtered sdreport
5550/tcp filtered sdadmind
5555/tcp filtered freeciv
5560/tcp filtered isqlplus
Device type: load balancer
Running: Cisco embedded
OS details: Cisco CSS 11501 Content Services Switch
Spread the word:
Bookmark it!
Digg it!
Related
We've been collecting spam from a corporate email gateway (205.142.53.51) over at Business Week which is owned by McGrawHill which is responsible for announcing the 205.142.50.0/22 block from AS 4546. This particular computer is one of Business Week's outbound mail gateways better known as mail03-1.mcgraw-hill.com. Its been showering our traps with titles like Become a better lover and Enjoy complete and total confidence every time. This server isn't botted it's just an IronPort[aren't they owned by cisco now] box that's forwarding SPAM, but where is the spam coming from? Upon deeper inspection a received header indicates that this mail server received the message from a host (bw-www2-hts.mcgraw-hill.com) with an RFC1918 address [172.16.40.20] This all sounds very complicated. It gets worse, the are other compromised web servers in other business units all leveraging the same technique of using a compromised system to send out spam through outbound corporate MX servers, in this case a IronPort anti-spam system. One of the other systems that caught our eye is [corona.eppg.com] which sprouted titles like Obesity is the number one cause of premature death in Americans This box used the same technique exiting its spam through another outbound mail server at 198.45.24.235. This host's block were registered to "Macmillan/McGraw-Hill School Publishing Company" which does K-6 Schoolbooks. That's friggn kinder garden through 6th grade books, do you think they interact with kids over their website... yep, the kiddies log in at http://glencoe.passkeylearning.com/LoginControllerThese computers have been spewing spam for some time now, I'm interested to know if they also have key loggers operating on them. Well, I doubt we will hear from their systems administrator, we wrote this post because we couldn't figure out how to report instances like this. Hey, Mr. Business Week, you got 0wned! A set E-Mail Headers from the ~100 messages we analyzed
X-SENDER-IP: 205.142.53.65
X-ENVELOPE: EHLO mail04-1.mcgraw-hill.com
MAIL FROM:
RCPT TO:
X-HELO: mail04-1.mcgraw-hill.com
X-UUID: 7ce71508-07ab-4427-bafd-cdd5fa56d7fa
X-ECP: McGrawHill
Received: from unknown (HELO bw-www2-hts.mcgraw-hill.com) ([172.16.40.20])
by mail04-1.mcgraw-hill.com with ESMTP; 07 Apr 2007 09:56:20 -0400
X-IronPort-AV: i="4.14,384,1170651600";
d="scan'208"; a="13150503:sNHT79478476"
Received: (from busweek@localhost)
by bw-www2-hts.mcgraw-hill.com (8.11.7p1+Sun/8.11.7) id l37Dtc705382;
Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Date: Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Message-Id: <200704071355.l37dtc705382@bw-www2-hts.mcgraw-hill.com>
To: bwwebmaster@businessweek.com
From: planet8094@businessweek.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Subject: An all natural solution that studies prove works wonders
Another message's headers for the PASSKEYLEARNING.COM site
X-SENDER-IP: 198.45.24.235
X-ENVELOPE: EHLO corona.eppg.com
MAIL FROM:
RCPT TO:
X-HELO: corona.eppg.com
X-UUID: 5aa1d38b-fb32-4ac6-8aac-8ad1845c09eb
X-ECP: McGrawHill
Received: (from passkeylearning.com@localhost)
by corona.eppg.com (8.11.7p3+Sun/8.10.2) id l2BDxSl23545;
Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Date: Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
From: passkeylearning.com@corona.eppg.com
Message-Id: <200703111359.l2bdxsl23545@corona.eppg.com>
To:
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
Subject: Obesity is the number one cause of premature death in Americans
The ARIN IP Address Deligation for the ip addresses mentioned above. OrgName: Businessweek Corporation
OrgID: BUSINE
Address: 1221 Avenue of the Americas
City: New York
StateProv: NY
PostalCode: 10020
Country: US
NetRange: 205.142.52.0 - 205.142.55.255
CIDR: 205.142.52.0/22
NetName: BUSINESSWEEK
NetHandle: NET-205-142-52-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Assignment
NameServer: CORP
Spread the word:
Bookmark it!
Digg it!
Related
 Aflac's Email Dysfunction  Today we look into why Aflac, Inc (AFL) an Insurance company with millions of consumer records at risk can't keep from sending out a MegaTon of Pharm SPAM. According to Sender base 209.37.4.38 has increased its outbound e-mail by 757% in the last 24 hours. Apparently SpamCop noticed too. I guess it is hard to keep bots off your network with over 7,700 employees and a Market Cap of over 23 Billion. Maybe Mr Amos with his 6M in salary can do something to protect all those innocent customer records being sniffed. We will tune in next week to see if anything has changed.
Spread the word:
Bookmark it!
Digg it!
Related
We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous. Below are the top 100 networks and the volume of incidents in the last 7 days. We posted the complete list of networks with more than 28 incidents in the last 7 days to the DOA report list which you can sign up at http://www.support-intelligence.com/doa/
+-------+------------------------------------------+--------+
| asn | trim(left(org_name,40)) | volume |
+-------+------------------------------------------+--------+
| 4134 | No.31,Jin-rong Street - Beijing - 100032 | 80279 |
| 5617 | Polish Telecom's commercial IP network | 63652 |
| 3320 | Deutsche Telekom AG | 37871 |
| 9121 | Turk Telekom A.S. | 34459 |
| 19262 | Verizon Global Networks | 27315 |
| 7738 | Telecomunicacoes da Bahia S.A. | 26695 |
| 27699 | TELECOMUNICACOES DE SAO PAULO S/A - TELE | 21487 |
| 3462 | Data Communication Business Group - Chun | 19756 |
| 4766 | Korea Internet Exchange - | 15632 |
| 8151 | Uninet S.A. de C.V. | 15376 |
| 9498 | BHARTI BT INTERNET LTD. - BHARTI BRITISH | 14749 |
| 3215 | France Telecom Transpac Domestic IP Back | 14216 |
| 3209 | Arcor AG & Co. | 13672 |
| 4788 | TMnet, Telekom Malaysia - AS list of TMn | 11714 |
| 3269 | TELECOM ITALIA - INTERBUSINESS NET | 11470 |
| 3352 | Internet Access Network of TDE - Spanish | 9751 |
| 9318 | HANARO Telecom | 8438 |
| 5483 | Hungarian Telecom - Public Internet Acce | 8206 |
| 6147 | Telefonica del Peru S.A.A. | 8070 |
| 8359 | MTU-Intel Moscow region network | 7992 |
| 6713 | Itissalat Al-MAGHRIB - MAROC TELECOM | 7840 |
| 1267 | Infostrada S.p.A. - IUnet S.p.A. | 7290 |
| 7470 | ASIA INFONET Co.,Ltd. - Internet Service | 7152 |
| 2856 | BTnet UK Regional network | 7065 |
| 4814 | IP networkChina169 Beijing Broadband N | 6755 |
| 4755 | Videsh Sanchar Nigam Ltd. Autonomous Sys | 6218 |
| 17813 | Mahanagar Telephone Nigam Ltd. - ISP Div | 6191 |
| 4713 | NTT Communications Corporation | 5470 |
| 13184 | HanseNet Telekommunikation GmbH - Hambur | 5453 |
| 15557 | LDCOM NETWORKS pan european service Prov | 5192 |
| 7418 | Terra Networks Chile S.A. | 5057 |
| 209 | Qwest | 5041 |
| 5430 | freenet City LINE GmbH - Willstaetterstr | 4743 |
| 1680 | NetVision Ltd. - NetVision Ltd. | 4525 |
| 6849 | JSC UKRTELECOM | 4460 |
| 20115 | Charter Communications | 4412 |
| 22047 | VTR BANDA ANCHA S.A. | 4361 |
| 5486 | Euronet Digital Communications - (1992) | 4106 |
| 11427 | Road Runner | 4075 |
| 7132 | SBC Internet Services - Southwest | 3851 |
| 3243 | Telepac - Comunicacoes Interactivas, SA | 3689 |
| 9583 | Satyam Infoway Ltd., Private ISP in Indi | 3586 |
| 8764 | LIETUVOS-TELEKOMAS Autonomous System - V | 3549 |
| 3257 | Tiscali International Network B.V. | 3541 |
| 5462 | Telewest Broadband - UK Broadband ISP | 3467 |
| 9304 | Hutchison Telecom (HK) - Mobile, pager, | 3280 |
| 17858 | KRNIC - Korea Network Information Center | 3236 |
| 6739 | Cableuropa - ONO - C./ Basauri, 5 - Urba | 3222 |
| 5089 | NTL Group Limited - Hook, Hampshire - Un | 3190 |
| 18101 | Reliance Infocom Ltd Internet Data Centr | 3163 |
| 10036 | C&M Communication Co. Ltd. | 3140 |
| 4230 | Embratel | 3110 |
| 20001 | Road Runner | 3056 |
| 7552 | Vietel Corporation - Internet Exchange a | 2987 |
| 17974 | PT TELEKOMUNIKASI INDONESIA - JL JAPATI | 2934 |
| 6805 | Telefonica Deutschland Autonomous System | 2840 |
| 8881 | KomTel routing policies | 2826 |
| 5391 | HT, HiNet, Croatian telecom | 2683 |
| 16338 | AUNA Autonomous System - AUNA Group. - P | 2632 |
| 18403 | The Corporation for Financing & Promotin | 2632 |
| 24863 | LINKdotNET AS number - for any abuse com | 2564 |
| 15311 | Telefonica Empresas | 2524 |
| 12271 | Road Runner | 2522 |
| 6327 | Shaw Communications Inc. | 2511 |
| 33287 | Comcast Cable Communications, Inc. | 2460 |
| 9689 | Future's Cable Television, Inc. - 463-57 | 2444 |
| 13285 | Opal Telecom - Northbank Industrial Esta | 2444 |
| 17839 | Dreamcity Media - 423-6 Songnae-dong Sos | 2433 |
| 7029 | Alltel Information Services, Inc. | 2423 |
| 5610 | CZECH TELECOM, a.s - Olsanska 6 - Prague | 2395 |
| 19429 | ETB - Colombia | 2390 |
| 7015 | Comcast Cable Communications Holdings, I | 2277 |
| 12479 | Uni2 Autonomous System - Spain | 2242 |
| 11351 | Road Runner | 2196 |
| 5384 | Emirates Internet - Public Internet Serv | 2182 |
| 11426 | Road Runner | 2158 |
| 12542 | TVCABO Autonomous System - Portugal | 2136 |
| 1221 | Telstra Pty Ltd - Locked Bag No. 5744 - | 2082 |
| 12741 | Netia Telekom SA | 2049 |
| 6057 | Administracion Nacional de Telecomunicac | 1969 |
| 4775 | Telecom Carrier | 1943 |
| 9506 | Magix Broadband Network - Singapore Tele | 1848 |
| 33651 | Comcast Cable Communications, Inc. | 1846 |
| 10796 | Road Runner | 1825 |
| 5603 | SiOL Internet d.o.o. - Internet Service | 1799 |
| 36727 | INSIGHT COMMUNICATIONS COMPANY, L.P. | 1781 |
| 5713 | Telkom SA Ltd. | 1751 |
| 20214 | Comcast Cable Communications Holdings, I | 1745 |
| 4808 | IP networkChina169 Beijing Province Ne | 1726 |
| 9141 | UPC Poland | 1714 |
| 9050 | RTD-ROMTELECOM Autonomous System Number | 1689 |
| 5668 | CenturyTel Internet Holdings, Inc. | 1669 |
| 33491 | Comcast Cable Communications, Inc. | 1663 |
| 6478 | AT&T WorldNet Services | 1638 |
| 1257 | SWIPnet - Swedish IP Network | 1635 |
| 17864 | Hanvit I&B - 519-1, Gojan-Dong, Ansan-Ci | 1609 |
| 7693 | KSC Commercial Internet Co. Ltd. - 2/4 S | 1601 |
| 22291 | Charter Communications | 1593 |
| 3816 | Empresa Nacional de Telecomunicaciones | 1576 |
| 10091 | SCV Broadband Access Provider | 1429 |
+-------+------------------------------------------+--------+
Spread the word:
Bookmark it!
Digg it!
Related
American International Group pulls in $113 billion in revenue per year, with $77 billion in cash on hand. They also have bots running on their network. AIG wrote us to let us know that Britney Spears loves Rolex Watches! Apparently. Or maybe just replicas. In either case, AIG sent us over 275 Rolex come-ons in the last month. They're also apparently interested in our sex life, as they've asked us to visit this website: http://womqat.hsuj.hk  The repeated requests have arrived from breeze.agfg.com and hail.agfg.com at 161.159.4.82 and 161.159.4.81 respectively. The site offers what are apparently black market pharmaceuticals from a company with no phone number, false whois information, and a domain registered on February 18th - less than a month before receiving the advertisement. The products offered on the site use the trademarks of Pfizer, Eli Lilly, Bayer, GlaxoSmithKline, you name it. The company also has 15 public black listings since December 2206, on 3 separate public lists, from 11 separate IP addresses. We encourage AIG to take a close look at breeze and hail listed above.
Spread the word:
Bookmark it!
Digg it!
Related
Thomson Financial Corporation - number two in our profile of companies with bots running on their networks. April 1st, we noted 198.80.153.10 ( 153-10.tfn.com) connecting to a command and control server via IRC. Unfortunately this is no April Fool's joke. Nor is the Botspam they've been sending us over the last month, such as this pump and dump sent from 198.80.128.88 on 3-15-2007:  We'd also recommend checking out 198.80.189.10 which sent us over 25 pieces of botspam in March most of which touted different over the counter stocks.
Spread the word:
Bookmark it!
Digg it!
Related
 Brian Krebs of The Washington Post wrote an insightful piece on Fortune 500 companies, the bots on their networks, and the spam coming from their networks. The article, appeared in Brian's Security Fix blog and called out ExxonMobile, American Electric Power, Indymac Bank, Dow Jones and a handful of others with recent problems on their networks. Which is no bit deal if you don't drive a car, light your home, carry a mortgage, or read the news. Then again, doesn't the security of our power plants, oil tankers, banks, and news organizations affect every one of us?
Spread the word:
Bookmark it!
Digg it!
Related
 Dan Goodin of The Register wrote an excellent article on bots operating on corporate networks. The article entitled Bots inside the Perimeter features data collected from the Support Intelligence network and highlights distinct cases of bot spam flowing out of Oracle, HP, Best Buy, and others. In the case of Oracle, the botspam was actually a phishing attack on Paypal. And with Best Buy the amount of spam pouring out its scuppers was in the thousands per week. Houston, we have a problem.
Spread the word:
Bookmark it!
Digg it!
Related
|
