Discount Pharmacy

Description

Discount Pharmacy has been identified in Spamhaus as a series of sites run by Vincent Chan. Many of his site names contain “hgh”.

Their spam has been rampant since approx. June of 2006, after having previously performed spamming on a massive scale for a different set of “Total Health” HGH sites.

Spammed domains initially would randomly switch between the two programs. Now they use a large block of obfuscated JavaScript to strategically redirect users to a variety of sites (all hosted on so-called bulletproof ISP’s) based on the spammed domain.

Both Total Health HGH and Discount Pharmacy appear to be identity theft operations. Nobody at the BBB or Pharmacy Checker has ever heard of anyone receiving any product once ordering from Discount Pharmacy. Representatives from the BBB flatly denied ever offering support or otherwise endorsing this range of well-known spammed websites. They unfortunately do not yet have any sort of warning to consumers aside from the general caveat not to purchase any product promoted via spam email.

Spam Examples

In most cases the spam messages sent for these websites never contain any identifying text inside the message itself. Instead these messages always feature a gif image attachment which tells the user not to click, but instead to manually type a domain into their (IE) browser. This is a sign of just how desperate this spam operation has become. Clearly none of their messages would ever get through if they linked directly to the site within the message text. It has been reported that on an average day some 10 million or more of these messages are deployed to unwitting email recipients, literally none of whom actually want any of them at all.

The actual text of the message usually contains lengthy, randomly selected passages of text, often from freely available texts, including several available from Project Gutenberg.

Server Hijacks

As with many other illegal pharmacy operations being used in large-scale spam runs, Discount Pharmacy also employs a server hijack infection for the purposes of serving out their spammed website domains. Unlike previously investigated hijacks, this one does not take place on Unix servers but instead targets Windows servers. As of this writing the exploit’s name is unknown and specific details are scarce about it. What is known is that hijacked machines are usually running Microsoft Remote Desktop support and Microsoft Remote Procedure Call, as shown in this port scan

We have several specific details about what it does once the server is infected.

In all cases, the URL which is spammed (in either flat text or in the attached, randomized gif image) is merely present to perform a JavaScript Iframe presentation featuring a secondary domain, and also to perform obfuscation as to the true location of that actual secondary web domain being presented.

The secondary domain is always hosted on a hijacked Windows 2000 or Windows 2003 server.

Here are the known details of this infection:

Windows 2000 Server and Windows 2003 Server are the target Windows OS’s. Other Windows Server OS types might be exploitable in this way as well. So far our research shows only these two.

A good test for proving that this is a hijacked server is to attempt a Windows Remote Desktop connection to the infected IP.

Once it’s been established that this is a Windows server, and it’s on an IP address being used to host a Discount Pharmacy site, we know these details about the infection, based on feedback from several sysadmins:

  • The hijack itself occurs via WIndows RDP (Remote Data Protocol)
  • New accounts are set up by the attackers. Their names are: support and aspnet$
  • Once created, further modifications take place via RDP using the aspnet$ account.
  • This exploit eventually uses up all available RDP connections, locking out any genuine users and disabling normal server functionality.
  • New user “Baylor” is added to the administrator group.
  • The exploit uses a hidden file structure which fills up most of the hard drive of the victim server.
  • A web daemon can be identified as a process / service running on the victim’s server, but neither shutdown nor removal of this daemon is possible.
  • Once exploited, it is not possible to recover the original server, nor is it possible to delete the hidden file structure.
  • Removal of the aspnet$ account appears to stop further connections by the attackers (though this is possibly not true.)

Here is a snapshot showing a discount pharmacy site running via fast-flux simultaneously on 15 hijacked hosts

>host rxunited.org

rxunited.org has address 24.65.77.132
rxunited.org has address 59.148.163.122
rxunited.org has address 61.10.118.146
rxunited.org has address 61.10.122.23
rxunited.org has address 61.225.2.85
rxunited.org has address 61.250.132.131
rxunited.org has address 69.233.0.233
rxunited.org has address 75.74.178.3
rxunited.org has address 84.100.121.182
rxunited.org has address 125.187.13.60
rxunited.org has address 202.132.105.246
rxunited.org has address 211.41.247.16
rxunited.org has address 220.85.129.250
rxunited.org has address 221.127.61.243
rxunited.org has address 221.127.213.181

More information will be posted here as we discover it. If you are a sysadmin of an infected Windows 2000 or Windows 2003 server, we would be very interested in hearing from you regarding your particular experiences.