[NA-Discuss] Policy Failure Enables Mass Malware: Part I (Rx-Partners/VIPMEDS)

Garth Bruen at KnujOn gbruen at knujon.com
Thu Sep 23 15:00:26 UTC 2010


This is the first in a series of releases that tie extensive code
injection campaigns directly to policy failures within the Internet
architecture. In this report we detail a PHP injection
(http://en.wikipedia.org/wiki/Code_injection) found on dozens of
university and non-profit websites which redirected visitor's browsers
to illicit pharmacies controlled by the VIPMEDS/Rx-Partners affiliate
This is not a unique problem, however the pharmacy shop sites in
question: HEALTHCUBE[DOT]US and GETPILLS[DOT]US should not even exist
under the .US Nexus
Policy(http://www.nic.us/faqs/index.html#who_can_register). The owners
of the two malware-redirected domains are in Russia and policy reserves
dotUS for U.S. persons and entities. I wish we could say this is the
only policy failure allowing the malicious pharmacy network to endure,
but it is one of many. Multiple forged WHOIS records, a Registrar
blocking access to WHOIS records, rejected emails to abuse contacts, and
Registrars without any apparent policy help create an environment for
hackers, spammers, and drug-dealers to act with impunity.)All of this is
detailed in our report:

PHP, SQL or simply code injections are intrusions at the database,
server or website level that place a simple redirect command in the
existing code that redirects the user's browser to another website, in
this case our illicit .US Rx shops. This malicious code was found on the
websites of several schools within the Arizona State University system,
Rochester Institute of Technology, Universidade de Santiago de
Compostela, Northern Marianas College, The University of Utah,
Universita Mediterranea di Reggio Calabria, The International
Association of Judges, earthportal.org and many other educational or
non-profit entities. KnujOn notified all impacted parties prior to
publishing this report and we continue to search for new infections.
Malware and intrusions are not new news, but rarely reported is the true
purpose of such attacks. Viruses and hacks no longer exist for their own
benefit, but are part of sophisticated criminal toolkit, which drive
Internet users to sites that deal in contraband. And these sites, for
the most part, would not exist if effective policy and procedure were

This all comes out as ICANN's CEO Rod Beckstrom declares that the domain
name system is under threat
, USA Today reports on the booming counterfeit drugs industry
Panda Security reports tens of thousands of new malicious websites
appear each week
and of course the White House call for ICANN, Registries and Registrars
to help develop online drug control policy

The VIPMEDS/Rx-Partners network has many other sites examined in this
report, among those is toppharmacy[dot]org. While the Pubic Interest
Registry(PIR) no longer has a non-profit requirement, this illicit
pharmacy domain is not an organization (at least not a legal one).
Toppharmacy[dot]org is sponsored by UKRNAMES and when we first queried
their Port 43 engine we received the response: No match for domain
"toppharmacy.org." This is very odd and could be a violation of RAA
After filing a complaint with ICANN, UKRNAMES WHOIS began giving out the
proper information.

Two other domains in this affiliate network are:
ameritrustpharmacy[DOT]net and indiangenericspharmacy[DOT]com hosted by
Sharktech. When we tried to contact Sharktech abuse our email was
rejected. Then there the 11 pharmacy domains in this network with
blatant false WHOIS. What ties all these domains and the malware
together is the actual transaction domain: ebillsafe[dot]com, which as
of this writing is thankfully offline. The transaction domain is where
thousands, maybe even more, illicit pharmacy shop sites transfer
customers once their shopping cart is full, it is where the money
actually changes hands for drugs. One of the shop domains that points
there is a Moniker-sponsored domain called cheapestpharma[DOT]net which
uses Moniker's privacy protection. We made several unsuccessful attempts
to get a copy of Monker's policy concerning illicit pharmacies from
their senior staff and to get the site terminated. No policy is bad

But there is good news. The main VIPMEDS shop site and transaction
domains are offline, suspended by their hosts for policy violations.
Some Registrars we contacted addressed the threat directly and
terminated domains within the network. And nearly all of the infected
networks have removed the malicious code. This means if someone is still
unlucky enough to end up at one of the existing shop sites their
transaction will fail (http://www.knujon.com/images/pharmacrash.png).
This is critical to understanding the problem, without domains to move
cash through, the array of illicit sites and malware deployments are

In Part 2 we will examine in detail a case that relates directly to
ICANN compliance procedures.

More Info:

What is the Doomsday Book? http://knujon.com/doomsday

Garth Bruen
gbruen at knujon.com
Linkedin Group: http://www.linkedin.com/groups?gid=1870205
Blog: http://www.circleid.com/members/3296/
Twitter: @Knujon

More information about the NA-Discuss mailing list