Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries.
As the story goes, on March 29th we began receiving botspam messages from 220.127.116.11 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to:
Sos. Mihai Bravu,No. 5
Bl. 4, Entr. 4, Apt. 9
Bucuresti, Sector 2 76101
The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable.
Name Server: ns1.nopadvene.com
Name Server: ns2.razovinag.com
Name Server: ns1.thefeminine.net
The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province.
So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone?
Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 18.104.22.168 which is routed by AS4595 (ICNET).
It's odd that the machine at 22.214.171.124 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo!
As for the legitimate Borders mail, it comes from 126.96.36.199 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down.
This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly.
We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.
Received: from 188.8.131.52 (HELO mx5.biz.mail.yahoo.com)
by locaos.com with esmtp (20Q,WW067.4I )HQ8)
for firstname.lastname@example.org; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.
Hope that you will find the information provided useful.Please click here
for more information.
With Best Regards, Denis Denton
Whois for the IP address that sent us the lovely request to look for new meddications
OrgName: Borders, Inc.
Address: 54 S. State Road
City: Ann Arbor
NetRange: 184.108.40.206 - 220.127.116.11
CIDR: 18.104.22.168/24, 22.214.171.124/23, 126.96.36.199/24
NetType: Direct Assignment