Discount Pharmacy
From Spamwiki
Contents |
[edit] Background
 Their spam has been rampant since approx. June of 2006, after having previously performed spamming on a massive scale for a different set of "Total Health" HGH sites. |
Spammed domains initially would randomly switch between the two programs. Now they use a large block of obfuscated JavaScript to strategically redirect users to a variety of sites (all hosted on so-called bulletproof ISP's) based on the spammed domain.
Both Total Health HGH and Discount Pharmacy appear to be identity theft operations. Nobody at the BBB or Pharmacy Checker has ever heard of anyone receiving any product once ordering from Discount Pharmacy. Representatives from the BBB flatly denied ever offering support or otherwise endorsing this range of well-known spammed websites. They unfortunately do not yet have any sort of warning to consumers aside from the general caveat not to purchase any product promoted via spam email.
 |  |  |
[edit] Spam Examples
 | In most cases the spam messages sent for these websites never contain any identifying text inside the message itself. Instead these messages always feature a gif image attachment which tells the user not to click, but instead to manually type a domain into their (IE) browser. This is a sign of just how desperate this spam operation has become. Clearly none of their messages would ever get through if they linked directly to the site within the message text. It has been reported that on an average day some 10 million or more of these messages are deployed to unwitting email recipients, literally none of whom actually want any of them at all.
The actual text of the message usually contains lengthy, randomly selected passages of text, often from freely available texts, including several available from Project Gutenberg. |
[edit] Server Hijacks
As with many other illegal pharmacy operations being used in large-scale spam runs, Discount Pharmacy also employs a server hijack infection for the purposes of serving out their spammed website domains. Unlike previously investigated hijacks, this one does not take place on Unix servers but instead targets Windows servers. As of this writing the exploit's name is unknown and specific details are scarce about it. What is known is that hijacked machines are usually running Microsoft Remote Desktop support and Microsoft Remote Procedure Call, as shown in this port scan
3001/tcp open msrpc Microsoft Windows RPC 3389/tcp open microsoft-rdp Microsoft Terminal Service
We have several specific details about what it does once the server is infected.
In all cases, the URL which is spammed (in either flat text or in the attached, randomized gif image) is merely present to perform a JavaScript Iframe presentation featuring a secondary domain, and also to perform obfuscation as to the true location of that actual secondary web domain being presented.
The secondary domain is always hosted on a hijacked Windows 2000 or Windows 2003 server.
Here are the known details of this infection:
Windows 2000 Server and Windows 2003 Server are the target Windows OS's. Other Windows Server OS types might be exploitable in this way as well. So far our research shows only these two.
A good test for proving that this is a hijacked server is to attempt a Windows Remote Desktop connection to the infected IP.
Once it's been established that this is a Windows server, and it's on an IP address being used to host a Discount Pharmacy site, we know these details about the infection, based on feedback from several sysadmins:
- The hijack itself occurs via WIndows RDP (Remote Data Protocol)
- New accounts are set up by the attackers. Their names are: support and aspnet$
- Once created, further modifications take place via RDP using the aspnet$ account.
- This exploit eventually uses up all available RDP connections, locking out any genuine users and disabling normal server functionality.
- New user "Baylor" is added to the administrator group.
- The exploit uses a hidden file structure which fills up most of the hard drive of the victim server.
- A web daemon can be identified as a process / service running on the victim's server, but neither shutdown nor removal of this daemon is possible.
- Once exploited, it is not possible to recover the original server, nor is it possible to delete the hidden file structure.
- Removal of the aspnet$ account appears to stop further connections by the attackers (though this is possibly not true.)
Here is a snapshot showing a discount pharmacy site running via fast-flux simultaneously on 15 hijacked hosts
>host rxunited.org rxunited.org has address 24.65.77.132 rxunited.org has address 59.148.163.122 rxunited.org has address 61.10.118.146 rxunited.org has address 61.10.122.23 rxunited.org has address 61.225.2.85 rxunited.org has address 61.250.132.131 rxunited.org has address 69.233.0.233 rxunited.org has address 75.74.178.3 rxunited.org has address 84.100.121.182 rxunited.org has address 125.187.13.60 rxunited.org has address 202.132.105.246 rxunited.org has address 211.41.247.16 rxunited.org has address 220.85.129.250 rxunited.org has address 221.127.61.243 rxunited.org has address 221.127.213.181
More information will be posted here as we discover it. If you are a sysadmin of an infected Windows 2000 or Windows 2003 server, we would be very interested in hearing from you regarding your particular experiences.
[edit] Hijack Removal Instructions
A sysadmin at one of the ISP's which was attacked in this way contributed the following hijack removal instructions.
To our knowledge those instructions do not remove the massive hidden file system this exploit creates, but do shut down the web daemon used in this hijack.
[edit] How to Report this Spam
The Complainterator is configured to report this spam to the registrars. It automates the process described here.
Do a whois lookup on the domain name spamvertized, to discover the registrar of the web site. Email a complaint requesting that the illegal site be removed.
Do a whois lookup on the domain names used by the name servers that resolve access to the web site. Again, discover the registrar(s) that are sponsoring the access to the web site. Email a complaint to the sponsoring registrar.
Removal instructions - the registrar needs to set the status of each of these domains to
- clientHold
- clientUpdateProhibited
- clientDeleteProhibited
- clientTransferProhibited
To remove them as name servers, the Address records for ns1 and ns2 need to be changed to a non-routable address, such as 0.0.0.0 or a blackhole address within their own address space.
[edit] Spammed URLs
From the original spammed URL to the final hosted website, their initial attempts would randomly switch between an HGH and Discount Pharmacy site, using only two domains within some obfuscated Javascript:
- Spam domain "a"
- Present obfuscated Javascript
- Javascript randomly chooses between domains "b" and "c".
- redirect - always within a frameset, always disallowing any right-clicking within the page itself
Since January 2007, this process has changed drastically to include upwards of 12 distinct URLs, most of them used as fallbacks. The spammed URL is almost always a long-standing, stable spammer domain, with Javascript redirection to one or more secondary throwaway domains, which in turn redirect the user again. An example "stable" domain is featured in the spam gif example above and has been active since at least October of 2006.
Once a user is actually viewing the main page, the website has identified which country the user is browsing from. ("Yes! We deliver to Uzbekistan.") This is done via a mixture of further obfuscated Javascript and back-end geotracking. No matter which country you are browsing the site from, you will be presented with the flag icon and country name for that country.
[edit] Obfuscation
Discount Pharmacy tries to throw the authotities off by laying down a trail of deception. Web sites are redirected, and site content is often obfuscated to avoid detection, arrest and prosecution.
Example of obfuscation from the web page source
<!--
eval(unescape("\x76\x61\x72\x25\x32\x30\x72\x65\x25\x32\x30\x25\x33\x44\x25\x32\x30
\x6E\x65\x77\x25\x32\x30\x52\x65\x67\x45\x78\x70\x25\x32\x38\x25\x32\x32\x68\x74
\x74\x70\x25\x33\x41\x2F\x2F\x25\x32\x38\x25\x35\x42\x2D\x5F\x25\x35\x43\x2E
\x30\x2D\x39\x61\x2D\x7A\x41\x2D\x5A\x25\x35\x44\x2B\x25\x32\x39\x2F\x25\x33\x46
\x25\x32\x32\x25\x32\x43\x25\x32 . . .
etc
//-->
This obfuscation turns into a Javascript function, which in turn redirects the user to a specific second URL. This second URL is shown in a frame to try to hide its domain name.
A recent example (July 2007) deobfuscates to
var re = new RegExp("http://([-_\.0-9a-zA-Z]+)/?","ig");
var arr = re.exec(location.href);
var d=RegExp.$1; var ss = d.split(".");
var l = ss.length;
var bd = ss[l-2] + "." + ss[l-1];
if(bd.search("hgh")==-1)
{ document.title = "Welcome"; }
else{ document.title = "Welcome"; }
url="http://www.supportallsmartbuys.org:8088/cg/";
var vc1='abcdef';
var vc2='01234567890abcdefghijklmnopqrstuvwxyz';
var c=Math.floor(Math.random() * 6) + 4;
var dp = vc1.charAt(Math.floor(Math.random() * 6));
for(i=1;i<c;i++)
{ dp = dp + vc2.charAt(Math.floor(Math.random() * vc2.length)); }
url = url.replace('www', dp);
document.write("<HTML><HEAD><TITLE>Welcome</TITLE></HEAD>
<FRAMESET rows=100%,*>
<FRAME src=\"" + url + "\" scrolling=yes></FRAMESET></HTML>");
This attempts to conceal that the true web site and images are being served from supportallsmartbuys.org on port 8088, eg
http://be6w.supportallsmartbuys.org:8088/cg/images/why_circle_save80.gif http://supportallsmartbuys.org:8088
The victim of this hijacking has a site at
http://supportallsmartbuys.org
In an investigation in January, 2007, no less than 39 domains in total were found to be related to a single spammed website's obfuscated Javascript. Many of the domains were all identical Discount Pharmacy domains. Several others were duplicates for the original "Total Health HGH" sites. Later on in the same day, those domains also switched over to Discount Pharmacy content.
The ISP's and registrars for these domains span several countries, and many of the so-called ISP's are probably fake ones set up by the spammers. Hosting is all over the map. The renowned Chinese ISP and registrar Beijing Innovative appears to be supporting and enabling this enterprise in full force, and many of the Discount Pharmacy domains for which it has been the authorizing registrar have continually been active over many, many months.
[edit] Terms of Use
Some of the terms of use make astounding reading
The User has lawfully obtained the prescription from duly qualified medical practitioner and that the Medication will be used only as directed and only by the person for whom the Medications were prescribed and that the duty of care is the responsibility of the User's Doctor.
No person other than the User will use the Ordered Product.
The user acknowledge that fp4vd.vbedwe.org is required to have a
licensed Indian Physician ("the Indian Physician") review his/her
medical information and that fp4vd.vbedwe.org and its employees
and agents have relied on the information and documentation
provided by the user and the user represents that he/she has
fully disclosed all pertinent requested information charged to
the user arising from the Indian Physician reviewing his/her
medical information.
For International sales (outside of India?)
INTERNATIONAL SALES 2. If you are importing our products we will do all we can to assist you in meeting the importing laws and requirements of your respective country, however, fp4vd.vbedwe.org. is not a legal expert concerning the laws affecting the legal importing, distribution, sale or use of any product offered herein. The buyer accepts full responsibility and accountability for compliance with any and all laws rules and regulations, which may affect the buyer regarding the importing, distribution, sale or use of any product purchased from fp4vd.vbedwe.org. Additionally, fp4vd.vbedwe.org. accepts no liability for the undeliverability of any products due to the actions of any government once the shipment has left the port of exit from India.
[edit] False Claims
Secure + This site is 100% secure
The claim shown here is false. The ordering page that requests identity and credit card details runs over http, not https, showing that no security is implemented despite this claim.
[edit] Fake Awards
The image shows an example of self-awarded banners.
The links to the Better Business Bureau and Best 2006 International Pharma site actually direct to an image server at fp4vd.vbedwe.org:8088 and pass across a "sessionid".
As with most of the sites outlined in this Wiki, none of these links are legitimate, and none of the claims of support are valid. Not one of these icons links to the actual organization claimed, and in fact investigating each of them leads to either a dead end (there is no such award for "Best Pharmacy Site", for any year) or outright falsehood (No such support has ever been given, or would ever be given by the Better Business Bureau, UPS, or the US Postal Service. This organization generates huge volumes of complaints which these associations are very well aware of.)
[edit] Sponsoring Registrar
The image server site vbedwe.org uses 4 name servers in two pairs, the first pair registered on Beijing Innovative Linkage Technology name servers.
The spammed site selected here, hghtime.org, is registered on Beijing Innovative Linkage Technology and also uses 4 name servers in two pairs in the same manner. This is evidence that they are the work of the same person.
[edit] Related Spam
Vincent Chan is known in China, and identified with Discount Pharmacy, where his IP addresses are tracked for Discount Pharmacy sites like simplerx.org, onlyhgh.org, fastrx.org
| 61.152.199.70/32 | Vincent Chan / yoric.net | 05-11-2006 18:06 | Shanghai, China |
| 222.64.103.234/32 | Vincent Chan / yoric.net | 05-11-2006 18:08 | Shanghai, China |
| 61.129.15.77/32 | Vincent Chan / yoric.net | 08-11-2006 13:14 | Shanghai, China |
ED Choice is known to be another operation from the same source.
[edit] Sample sites
This is a list of sample sites, which redirect to hijacked hosts. They are registered with Beijing Innovative Linkage Technology.
4ussale.org aimrx.org artistrx.org asapsale.org barsmeds.org bossrx.org brainrx.org brandsrx.org captainrx.org castrx.org chartrx.org cooldeal.org courserx.org dailyrx.org dealnice.org dessertrx.org dutyrx.org easyirx.org feastrx.org focalrx.org frontmeds.org grandrx.org handsrx.org headsale.org hoursale.org kingsale.org lordsale.org markrx.org medcart.org medsbags.org medscome.org medsfame.org medstimer.org newssale.org no1rx.org onesale.org onlysale.org ordersrx.org pursuerx.org ran4sale.org rxcolumn.org rxexpert.org rxfore.org rxforms.org rxglocal.org rxnumber.org rxpoint.org rxsugar.org rxvictor.org sale4me.org saleband.org salebank.org salebase.org salebyte.org salechart.org salecool.org salecyber.org salefocus.org salegiant.org salegogo.org salehot.org saleline.org salelist.org salemap.org salenote.org saleour.org salerank.org saleunit.org saleusb.org savelead.org speeddeal.org strongrx.org theaimrx.org thewayrx.org toolmeds.org topperrx.org viberx.org vigorrx.org wisedeal.org wisesale.org yearsrx.org
[edit] Sample sites May 2008
These are registered with Xin Net. The registrant gives an email address david780213@yahoo.com.cn which has been used for registrations of VPXL, PayPal phishing, MySpace phishing, and Advantage Pharmacy sites.
purchaserxhere.com directrxcenter.com r-x-r-x.com mainsrx.com rbestrx.com
Name servers
ns1.monderx.com ns2.monderx.com
During the latter months of 2006, several monitored control email accounts received only three types of spam on a daily basis: Discount Pharma, numerous varieties of stock spam, and spam for a bogus "charity" named "SaveChilds.net". That last site was investigated and shut down after public outcry over what was obviously a completely fake charity organization. All three spam types featured identical message construction:
- random, nonsensical text with the word counts in the 150+ range
- no link to any website present in either the text or html portions of the email
- a gif attachment of no more than 12k in file size, randomly named and randomly generated
The stock images were completely randomized and featured obfuscated or otherwise very difficult-to-read text touting the following stocks:
- GDKI (Goldmark Industries)
- CWTD (China World Trade Corp.)
- WEXE (West Excelsior Enterprises Inc.)
- CNHC (China Health Management Corp. New)
- VMCI (Vemics Inc.)
- AGHG (Asgard Holdings Inc.)
- AMSN (Amerossi Int'l Group)
They began using similar obfuscated gif types in Discount Pharmacy spam messages, this time embedding them within the message and employing an html link to the website. You can see the similarities in gifs from three of the example email types below:
 |  |  |
[edit] Sample sites September 2008
Domains are now registered with Bizcn.com; Xin Net has become done a 180° turn in the past few months and now has outpaced Bizcn.com in suspending spammed domains.
Websites continue to be hosted on hacked Windows servers:
| Domain name | IP address | Network |
| findingsfirst-rate.com | 189.3.102.153 | Embratel (Brazil) |
| great-outlooks.com | 12.216.45.58 | Mediacom Communications Corp/AT&T |
| long-adiscovery.com | 211.240.39.198 | Elimnet (Korea) |
| luminousdiscovery.com | 216.121.93.11 | ServePath, LLC |
| refreshingdiscovery.com | 121.126.192.4 | Haionnet (Korea) |
| unique-innovation.com | 121.126.192.4 | Haionnet (Korea) |
| unsurpassed-innovation.com | 189.3.102.153 | Embratel (Brazil) |
Sites have now expanded their product line to purportedly sell Ritalin, hydrocodone, and codeine phospate, which are schedule II controlled substances in the U.S.. Schedule II is the category for drugs with the highest abuse potential -- consequently, the highest level of legal controls. Sites continue to offer controlled substances Xanax, Valium, Ambien, phentermine, and Ativan, as well as adding Schedule III Vicodin ES. (As with most of these pharmacies, although brand names and trademarked tablet appearances are used on the site, they only claim to offer generic equivalents, even for drugs like Viagra that don't yet have any legally produced generic equivalent.)
One wonders who would be so foolish as to place an order for a schedule II drug from a website hosted on a hacked server, whose files can be voluntarily turned over to law enforcement by its owners without the need for any type of search warrant. However, federal prisons are certainly full of foolish people.
Clearly this group is involved in a great deal of internationally illegal activity, and appears to have absolutely no scruples whatsoever. Needless to say, several law enforcement and other authorities are continuing to investigate this group.
