Published:
November 07 2007, 04:33 PM
by
Mark Wade
Just how dangerous is the Internet? We have all heard stories about Government websites being hacked, financial banking scams and malware that encrypts your data and holds it hostage. Did you know that just owning a computer and having it online puts you at risk of being a pawn in a criminal enterprise? More and more un-patched computers are becoming infected with nefarious malware just by users opening email attachments or visiting websites that contain malicious content. Recently the Bank of India's website was compromised and anyone who visited the bank's website with a vulnerable web browser received malware on their system, including rootkits and keyloggers. It is tactics like these that allow criminals to infect hundreds of thousands of computer systems and harvest them together into what is called a botnet. According to Wikipedia a "Botnet is a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely by crackers. This can also refer to the network of computers using distributed computing software."[1] Computers that are part of these botnets can include corporate, government, military, and education institutions' computers, and in addition to home computers. That is right home computers, yours, your mother's, father's, children's, cousin's and grandmother's.
Botnets are a real threat, and produce big business for the owner of the botnet. Just how big are these botnets? One botnet was discovered to be as large as 1.5 million systems. A predominant figure in the creation of the Internet (TCP/IP), Vint Cert, estimated that one out of every four personal computers could be infected with botnet malware.[2] Personally I think that one in four computers are a little too much, but then again I didn't help create the Internet.
Botnets can be used for sending Spam (mail relays), denial of service attacks (DOS), click fraud, and collecting login ID's from the owners of the infected computers. The bot herder, (the one who controls these compromised systems) will sell or rent these computers (bots) to interested parties, who will use them in their criminal activities.
Investigating the Botnet
I decided to take a deeper look and see what I could find out about a botnet operation that I stumbled across. This investigation begins from a spammed email message I received, that was selling jewelry. Since it is common practice we can assume the email was sent or relayed from a compromised computer that may have been part of a botnet. There were two websites in the email message: http://ryih.mhhimto.com and rmfx.mhhimto.com. Using nslookup, I entered rmfx.mhhimto.com to resolve its IP address. I was not surprised to see eight completely different returned IP addresses returned, all ranging from various IP netblocks. Since I have seen similar types of activity in the past, I ran nslookup again to see if the IP addresses changed. Sure enough, in just under 10 minutes the previously listed IP addresses changed to a completely new set of IP addresses. This seemed to happen about every ten minutes. I quickly identified the ever changing IP addresses as DNS fast fluxing. Fast fluxing is a method of deception utilized by botnets to conceal the identity of the bot herder or parts of the criminal activity. Fast fluxing works by constantly rotating compromised IP addresses, which are usually acting as a proxy to the end system. This is extremely beneficial to criminals who are involved in phishing scams or using compromised web sites used to deliver malware. Each of these ever changing IP addresses are home or business machines that are receiving the inbound HTTP requests of the websites delivered by the spam message and then redirecting them to the actual static web server, (www.pornogh.net). These intermediaries often act as proxies, but in this case the compromised computers are running web servers and simply issuing an HTTP 302 redirect sending the user to another website. This extra layer of anonymity prevents the end website from being identified by spamming groups or having their URL blacklisted by Internet Service Providers.
I sampled the IP addresses and I was able to identify that the compromised computers are Microsoft Windows systems that are all running Apache 2.0.59 web servers. These web servers are what were issuing the 302 Redirects. Most of these systems also had an open SMTP (mail) port which was probably used to send out Spam email. Since port 80 (http) was open on all of the "reachable" systems and is allowed through most corporate firewalls, that could have also been the method of communication between the bot herder and the bot. Figure 1 provides a visual example.
Figure 1
I was curious to see if I could identify the size of botnet used in this hosting operation. I was able to identify 228 unique IP addresses. This number is not definitive since I was only monitoring the domain for a short period of time before it was no longer accessible. I was curious to see to whom these compromised IP addresses were registered. Sure enough these IP addresses were located all over the world with 49% were registered to entities within North America; 36 % to Europe; 9% to Asia Pacific, and 6% to Latin America and the Caribbean. The registration information revealed these compromised systems to be a mix of dial-up, dedicated home users, and various companies. One of these IP addresses belonged to the Army and Air Force Exchange Service.
Who are the Accomplices?
As for the destination domains, mhhimto.com was registered to Wu Ting Zhe in China. This domain is now no longer resolving. It is interesting that the domain was just registered on October 6th 2007. The pornogh.net was registered to Cam Lawson in the US. Cam must be pretty busy because I found over 30 domain names registered to him. Since November 1st, 2007, Cam has registered 12 new domains. As it turns out all of Cam Lawson's contact information was fictitious. That is not uncommon in spamming operations. No one is going to use their real name and contact information in a criminal enterprise. And yes, that is what spamming is, a criminal enterprise. I found it interesting that I came across many other domain names such as moressslove.com, joealexnight.com, and alextreelove.com, all of these domains had Cam Lawson's email address listed, but were all registered to different individuals, such as Jim Peeker, Joe Sniper, and Bill Foster. Some of these domain names used even had Cam Lawson's non working phone number registered as theirs. I was actually surprised that I didn't see "John Smith" as one of the registrants' names with an address of 123 Main Street.
All of these newly discovered domains that were registered to Cam Lawson were registered with Internet.bs, a domain name registration company located in Commonwealth of The Bahamas. Most of the IP addresses of the domains that are registered to Cam Lawson resolve to 221.141.115.112. These are either selling pharmaceutical pills or watches, and all have the same storefront template as pornogh.net. In fact, there were 423 different domains all resolving to the 221.141.151.112. Most of these domains have the familiar watches website theme and are listed with various spamming blacklists. Since August 24th 2007, pornogh.net has had five different IP addresses in either China or Korea, and four different name servers. Talk about non stable, or are they are trying to conceal a pattern?
I was curious about the Internet domain name registration company, Internet.bs. Being located in the Bahamas it reminded me of the whole Cayman Island tax shelter theme portrayed in Hollywood movies. From the long list of spammed domain names that resolved to the identified IP addresses 121.88.4.25 and 221.141.115.112, over 65 of these domains were all registered with Internet.bs. I had to quit looking. If looked at all 423, I am sure that a large number would be registered with Internet.bs. I was not surprised when reading Internet.bs's terms and conditions regarding the usage of the registered domain names that there was no mention of spamming. I looked at a few other registrar's acceptable use policies and they all mentioned the company's anti-spam policy. Each also had an "abuse" email to send complaints. There was no mention of spam or abuse contacts anywhere on Internet.bs's website. Their terms and conditions do ask that each registrant, to the best of their knowledge, is not directly or indirectly violating anyone's rights nor is the domain to be used for unlawful purposes. I sent Internet.bs an email (since there are no phone numbers) asking if the laws mentioned in their terms and conditions page were local Bahamas laws or coincide with any US or European laws. The message returned was that Internet.bs follows the laws in Bahamas since they are more permissive than laws in other countries. Internet.bs also mentioned that as long as we are not using their DNS servers there is no reason Internet.bs could accept a spam complaint because they are merely the "spammed" domain name registrar and do not provide any service that could put them in relation with the spamming activity. I guess Internet.bs does not consider domain names registered through them which are ultimately delivered via spam as being a part of the problem. According to URIBL, an anti-spamming organization, 88% of the active mail domains listed in the last 5 day with Ineternet.bs all had the exact same website template selling watches.
Conclusion
I wish I could connect the dots between mhhimto.com, the bot herder, and pornogh.net along with the other 400 plus interchanged websites that all resolve to the same IP address and watch selling operation, but I can't. For now we do not know if these major conspirators in this operation reside in the US or in some foreign country where US laws and extradition are out of reach. What I do know is that laws are being broken, personal and corporate computers are being compromised and used as part of a lucrative criminal enterprise. What I hope that I have accomplished is to provide you a small glimpse into the complexity and global problem of botnets and their role in the spamming enterprise.
So is your grandmother's computer part of a criminal underworld botnet? Below are a few ways to determine if your system is infected with Malware and part of a botnet. Install and run anti-virus and anti-spyware applications with regular updates and scans. Check for unusual network traffic. What do I mean by unusual network traffic, and how does one go about doing that? If you are a home user more than likely you are not running a web server from your home computer. To check, close all of your applications, and bring up a command window (Start, Run, type cmd and hit Enter). Once a black window has appeared, type the following command: netstat -an. You will get a long listing of all the listening and open connections between your computer (listed as 0.0.0.0 and /or 127.0.0.1) and any remote computer. If you have a web server running on your computer the service will be listed as ":80". For those that do not know the ":80" represents port 80 which is the port used for web traffic. The same will be true for a mail server, which will show running on port 25. Figure 2 provides an example.
Figure 2
You will quickly understand if you have inbound and outbound web server connections and you are not running a web server. If you see "ESTABLISHED", instead of "LISTENING", in the above example, that means someone is actively connecting to your computer. The local address will change from 0.0.0.0 to your computer's IP address and the Foreign Address will be the system that has connected to you. At the end of the day the best prevention is to not be a victim of social engineering. Try to avoid being tricked into clicking on a hypertext link or opening a program that mysteriously showed up in your inbox, or that was even sent to you by one of your contacts. Make sure your computer's operating system is up-to-date with patches along with any applications. Also ensure that your Anti-Virus and Anti-Spyware DAT files are up-to-date and you run periodic scans.
[1] http://en.wikipedia.org/wiki/Botnet
[2] Criminals 'may overwhelm the web', BBC, 25 January 2007.