September 2009 Spam Report

McAfee Avert Labs Discovers and Discusses Key Spam Trends

(PresseBox) ( Unterschleißheim, )
Key Findings

"Chinese pharmacy" spam is not a sinister plot by the Chinese government. It appears to be a reaction to Chinese overproduction of prescription drugs and the need to sell them cheaply to customers outside the country. We examine the role of botnets in this fragmented business, which includes many legitimate, or at least incurious, players.

In early August a distributed denial of service attack took down Twitter and slowed other social sites, including Facebook. They were attacked because they had hosted an account of a pro-Georgian blogger writing about the recent brief war between Georgia and Russia. The DDoS attack was accompanied by a rather anemic spam campaign.

Table of Contents The Curious Case of "Chinese Pharmacy" Spam 3 Twitter/Facebook Distributed Denial of Service 8

The Curious Case of 'Chinese Pharmacy' Spam

We've seen plenty of news regarding "Chinese pharmacy" spam. These spam messages constitute between 60 percent and 65 percent of today's global email volume and have maintained roughly that quantity for three to four months. Although this phenomenon is primarily based in China, the websites appear to be in Canada. Why the Land of the Loon? Everyone trusts Canadians, and it's common knowledge in the United States, at least, that Canadian drugs are less expensive. These spams raise many questions and create a lot of intrigue regarding the nature of parties to what is considered malicious or illegal activity. We'll describe some of the factors that may be involved in the production of this pharmaceutical spam, how it comes to market, and why some of the finger-pointing may oversimplify the issue-possibly diverting us from an internationally accepted solution.

We'll examine this issue in four major parts:
-The creation and use of a botnet for marketing products
-The levels of abstraction that allow associated groups to claim legality or at least legitimacy in their actions
-The economic reality of pharmaceutical manufacturing and distribution in China
-Details of registration and hosting associated with this type of spam

Building a botnet to send spam

We'll start with a description of a generic botnet. Similarities between this botnet and your botnet are simply coincidental. A botnet can be more or less complex, but they all contain these basic pieces.

When your system becomes infected with a virus that installs a Trojan on your computer, the botmaster is likely to gain a significant amount of detailed personal information: user names, passwords, account numbers, emails, instant messages, etc. The infected computer needs to send this data to a central location, so it generates a URL from a list that is embedded in the virus and attempts to contact that site and report the information. These are some features of a computer that affect the usefulness of an individual machine:

-Can it connect outbound on port 25 (email)?
-Can it receive connections on port 80 (web) from an anonymous source?

A computer that can do the first is capable of sending spam. A computer that is capable of the second can host a web server (assuming that all the nodes can connect outbound on the port 80, which makes them all capable of joining in a distributed denial of service (DDoS) attack if one were ordered).

Machines capable of sending outbound emails are going to be much more numerous than computers that can host a web server. The latter requires a lack of inbound firewall protection and a routable IP address that matches the infected machine. Sending only email requires a lack of outbound firewall protection, which is extremely common.

A botmaster needs to establish a server to receive feedback and send commands to the zombies. Then a botmaster must choose a subset of devices that will be responsible for sending spam, and a number of devices that will be responsible for handling web traffic.

Distributing web traffic among the web-capable zombies is often done through the technique "fast flux."

The domain name service (DNS) hosts can use a regularly updated list of web-capable IP addresses to return zombie host IP addresses. By setting the time-to-live parameter of the domain record to one second and constantly using new IP addresses, a botmaster can achieve better traffic distribution to his webhosts.

The webhosts issue a redirect command to the spam recipient's web client that sends the user from the fake-front domain name to the actual permanent domain name. This allows the spammer to acquire temporary domain names through a process known as domain tasting, in which a domain name is temporarily registered "for trial purposes" from a registrar, and use those domains in the spam emails.

(Identifying a known spam URL in an email would allow anti-spam systems to easily block an email;

using a new one makes that process more difficult.) Domain tasting is widely recognized as an abuse of the naming system. ICANN has recently passed additional regulations to combat the practice, but those restrictions apply to only a small number of actual domain codes.

Creating this botnet leaves a trail of publicly accessible information:
-Registration information associated with domains acquired through domain tasting
-Registration information associated with primary websites
-Nameservers associated with the first two items
-IP addresses associated with the first two items
-The IP address that sent the spam

The abstraction layer

The botnet is just a small part of a fractured and distributed business model. Let's take a look, starting with someone who has palettes of generic pharmaceuticals to sell. The person with the goods contacts a company that says it can provide completely legitimate online vendor services to help sell the excess inventory internationally. The services company contracts with another company to produce a website to sell the merchandise. In return for a slice of the pie, the pharmaceutical owner receives the buyers' names and addresses and is responsible for shipping the goods.

The website contractor is doing only what it was hired to do: create an online website that sells something. That's not illegal. The website company might further contract with a marketing firm to drive traffic to the new website, another perfectly legitimate action. How that traffic was generated doesn't concern its management. The move results in sales, which means that the recipients obviously wanted to purchase the material.

The slippery claim of legality oozes through the whole charade. The original vendor service doesn't touch the website, and it doesn't touch the drugs, it just processes credit card receipts and purchase orders and then appropriately divides them among its clients. The pharmaceuticals website claims it isn't in control of spammers; instead it's just the lucky recipient of traffic. The site outsources the marketing to a number of smaller groups, all of whom can claim ignorance of any sort of botnet-related activity.

Economic reality

China has a rapidly growing pharmaceuticals market. Only a fraction of its 1.3 billion people currently have easy access to healthcare. With a multitude of government efforts to build hospitals and provide well educated doctors to remote areas of the country, China's market for both over-the-counter and prescription drugs is expected to grow rapidly over the next decade. China currently produces 70 percent of its own pharmaceuticals from its own generic drug industry but, for the most part, local manufacturers produce inferior products and are often unprofitable.[1]

China's government negotiates with international drug suppliers to establish price controls and gives them regional monopolies to supply drugs. In doing so China makes it impossible for regional companies faced with overproduction or quality concerns from competing locally and forces them to look for an outlet to offload the excess, but they cannot sell their drugs inside the country because that violates Chinese law.

If China's population continues to grow, then it risks reaching a point where it will be unable to provide sufficient quantities of good-quality pharmaceuticals for its people through local industry and will need to import larger and larger amounts from the rest of the world. This looming concern makes closing a failing pharmaceutical factory untenable. The alternatives are acquisitions of underperforming factories by larger domestic corporations or operating at a loss.

Registration and hosting details

From a single day in August, we examined a total of 52,428 "Chinese newsletter" pharmaceutical spam emails that contained 1,235 unique URL domains. (This spam pretends to be a newsletter or other solicited email advertisement.) This is not the only pharmacy spam we've seen; it is simply the dominant one.

According to the whois database, these 1,235 domains were registered with the following:

-1 sponsoring registrar:
-1 sponsoring registrar:
-51 sponsoring registrar:
-1,182 sponsoring registrar:

The 1,235 unique domains pointed to a total of 13 IP addresses.

-11 of these IP addresses reside in China and are still functional
-1 of these IP addresses resides in Russia and is still functional
-1 of these IP addresses resides in the United States after the domain was apparently acquired by another registrar and black holed

The functioning IP addresses forward the connection to another IP address (the pharmaceutical website), which is hosted in China.


It is inaccurate to view the Chinese pharmacy spam phenomenon as the result of purposeful malicious behavior by the Chinese government or a single corporation; rather, it appears to be the result of a need to export the results of excessive overproduction to a global population that has tightened its purse strings against unnecessary spending.

In our February Spam Report we noted when the attitude toward these spam campaigns relaxed:

"Back in December we started to notice the most amazing thing. Spam that was using Chinese URLs were dead on arrival, meaning that more often than not, when the spam message was delivered to the mailserver the URL that it was referencing had already been removed from DNS. This trend had really started to pick up and must certainly have reduced the effectiveness to the sender of spam campaigns that take advantage of Chinese domains. This seemed to indicate an active participation by Chinese entities to curb and eliminate the spam.

"In January that was all over. Graphic emails pushing enlargement supplements with Chinese URLs and identical 'to' and 'from' addresses are not only in abundance, but the URLs contained in them are still active even after having been abused by spammers for weeks. Whatever preventative actions were being taken to keep the December URLs under control is gone."[2]

Also, in our July Spam Report we explained that Chinese pharmacy spam was not being sent to Chinese domains, which shows an ability on the part of the spammers to avoid crossing a line that would result in unlawful competition with local suppliers.[3]

Based on these observations of pharmacy spam there is no end in sight. If excess industrial chemical production in China cannot be dumped on the legal market, then it will continue to find a black market. The need for that black market is too strong to be shut down by international law enforcement.

On the other hand, there may be a peak to pharmaceutical spam in which the quest for profitability and maintainability eventually balances with the growth rate of the drugs market and reduces the danger of long-term overproduction. This may also result in an overabundance of idle botnet nodes and, as we all know, an idle botnet is the devil's plaything.

Twitter/Facebook Distributed Denial of Service

The community websites of Twitter, LiveJournal, Facebook, YouTube, and Fotki hosted an account of a pro-Georgian blogger who went under the nickname "cyxymu" (taken after Sukhumi, the capital of Abkhazia, one of Georgia's pro-Russian breakaway republics). All of the websites suffered a DDoS attack on August 6 that took down Twitter for several hours and significantly slowed connectivity to Facebook. Reportedly, the attack packets sent to those social-media sites were requests to fetch the pages hosted for this user, who had just a few days prior blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee's TrustedSource reputation system also detected a spam campaign that referenced the targeted blogs. The attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger's inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to add insult to cyxymu's DDoS injury.

Our analysis found the spam was distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

The IPs sending this spam are not dedicated to just this one target; most of them also send common variants of casino, pharmacy, and other frequently seen spams.

McAfee detected the spam campaign beginning around 1400 GMT on Thursday, August 6 and ending about two hours later.


The campaign to silence or spotlight cyxymu's voice included a DDoS and a low-volume spam campaign. The latter seemed primarily to publically highlight, perhaps to the blogger himself, the target of the attack. The spam itself was not responsible for the downfall of Twitter, either as mail target or as a click generator. However, a few aspects of the email suggest that the spam was merely an afterthought, or at least not the primary focus of the attacker. Whether that attacker was state-sponsored (as many have speculated, though usually without evidence), a self-motivated political hacktivist, or even cyxymu himself, the spam did a good job of bringing cyxymu's opinions to light. Amateurish inconsistencies in the header data (a BCC header field), lack of creativity in the contents, and the low volume of email are part of the distinctive character seen in this campaign.

Brought to You by McAfee Avert Labs

McAfee Avert Labs is the global research group of McAfee, Inc. With research teams devoted to malware, potentially unwanted programs, host intrusions, network intrusions, mobile malware, and ethical vulnerability disclosure, Avert Labs enjoys a broad view of security. This expansive vision allows McAfee's researchers to continually improve security technologies and better protect the public.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/ or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee-brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. ©2009 McAfee, Inc. All rights reserved.
Für die oben stehenden Pressemitteilungen, das angezeigte Event bzw. das Stellenangebot sowie für das angezeigte Bild- und Tonmaterial ist allein der jeweils angegebene Herausgeber (siehe Firmeninfo bei Klick auf Bild/Meldungstitel oder Firmeninfo rechte Spalte) verantwortlich. Dieser ist in der Regel auch Urheber der Pressetexte sowie der angehängten Bild-, Ton- und Informationsmaterialien.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an