Battling the Zombie Web Site Armies

Peter Bennett first suspected his own Web site might have been turned into a spam-spewing zombie on the night of Nov. 11, when he discovered that a tiny program secretly uploaded to his site was forcing it to belch out ads for rogue Internet pharmacies.

Bennett’s site had been silently “infected” via an unknown (at the time) vulnerability in a popular e-commerce software package. While most site owners probably would have just cleaned up the mess and moved on, Bennett — a longtime anti-spam vigilante — took the attack as a personal challenge.

“Spammers always know it is me attacking their resources in whatever form that takes,” Bennett said. “In other words, I make myself a target because I have a clue or two about server security and defense and just love taunting them to crank them up.”

And taunt them he has. For years, the New Zealand resident was part of a ragtag band of anti-spam activists, or “antis,” that helped to bring down infamous pill spammer Shane Atkinson and other junk e-mail purveyors. After taking a break from anti activity in 2007 to pursue other professional goals, Bennett – now 50 – seems eager to jump back into the fray.

In the interim, however, spammers have been refining their techniques. Like reluctant conscripts in a global guerilla army, hundreds  — sometimes thousands — of legitimate Web sites are now enslaved each month and sold to criminals who use them to blast out spam and host spam sites. The attackers Bennett is tracking mainly pick on orphaned Web sites running Linux with insecure, unpatched software packages (Bennett says his site was hacked thanks to a zero-day bug in OScommerce, a popular e-commerce software program).

Bennett found that his Web site was part of a larger botnet of at least 1,200 compromised sites that was being used to send roughly 25 million junk e-mail messages each day, although he said it appears the botnet is used for spam runs only intermittently.

“They only run the botnet once a week or so at a time, and then shut it off,” Bennett said.

An ad soliciting EvaPharmacy affiliates.

The hacked sites in the botnet Bennett identified mainly advertise one of three types of rogue pill sites: MyCanadianPharmacy, Canadian Family Pharmacy, and Canadian Health&Care Mall. The latter has been tied to a pharmacy affiliate program called EvaPharmacy, one of the few remaining pharmacy affiliate programs that pays members to promote fly-by-night pill sites via spam.

I’ve separated the hacked sites identified by Bennett into different lists, broken down by the type of pharmacy programs they are currently promoting. A fourth category, labeled “Other,” includes those hacked pages that appear to be mainly erected to beef up the search engine ranking of rogue pharmacy sites. Click the links below for a text file listing the compromised sites in each group (please take care with those links; some of the sites may also host malicious code):

Canadian Health&Care Mall

My Canadian Pharmacy

Canadian Family Pharmacy


Most people understand the need to keep their computers up-to-date with the latest security patches, and that failure to do so could let bad guys turn those systems in spam zombies. Web sites, as it turns out, also can be zombified if deprived of proper care and feeding. I suspect many Web site owners either aren’t aware of the threat or do not want to apply updates out of laziness or because they have their Web site set up just right and are afraid that patches may screw things up.

“The big problem is many of the web sites get themed, which means upgrading the site is a lot of work and often does not get done,” Bennett said.

In any case, it is clear that a more comprehensive approach to helping people secure their Web sites is long overdue. Unfortunately, the very organizations that should be leading by example — federal and state government Web sites — often set the worst example, and are frequently compromised and hijacked by spammers — sometimes for months or years on end. The U.S. Agency for International Development, for instance, is doing a bang up job helping to develop international spam cartels by hosting dozens of pages promoting rogue online pharmacies.

On Dec. 14, the Obama administration announced that it was teaming up with Google, Microsoft and a host of other tech giants to establish a nonprofit organization targeting illegal Internet pharmacies. Victoria Espinel, the White House intellectual property enforcement coordinator, described the nonprofit group as “comprised of companies that serve as Internet choke points and was in response to a call from the administration for private efforts to police illegal pharmacies.”

It will be interesting to see what — if any — impact this group may have on the overall problem. For now, the job of policing the Internet for illegal pharmacies will continue to fall to individuals and volunteers, like Bennett.

“I’ll keep at it, because I enjoy it,” he said. “But the war on rogue pharmacies has to be fought on many levels. The fact that hackers are creating Web site botnet armies needs to be dealt with, as lack of action just emboldens the hackers.”

Оставьте комментарий