WEBVTT

00:00:00.000 --> 00:00:04.960
JACK: I grew up in the US, close to my grandma. She was old and needed medicine, and often she’d

00:00:04.960 --> 00:00:10.520
buy her medicine in Mexico. I have many fond memories of taking an all-day road trip to Mexico,

00:00:10.520 --> 00:00:15.480
getting across the border, trying to find la farmacia, hoping we’d get the right medicine

00:00:15.480 --> 00:00:20.200
there, figuring out a way to get it back over the border, and then driving home. The thing is,

00:00:20.200 --> 00:00:25.800
here in the US, medicine is crazy expensive, so making the trip down to Mexico for medicine

00:00:25.800 --> 00:00:30.320
was worth it to us. [MUSIC] My grandma was just someone looking for deals and trying

00:00:30.320 --> 00:00:35.720
to save money. But this is a common story I’ve heard from other people in the US, too. Yeah,

00:00:35.720 --> 00:00:40.720
it’s often illegal to do this, because the US doesn’t want people importing drugs that

00:00:40.720 --> 00:00:47.040
aren’t FDA-approved, but still, people do it. But then, another option landed on the table;

00:00:47.040 --> 00:00:52.760
pharmacies began to appear online. Suddenly, you could order your medicines from your

00:00:52.760 --> 00:00:58.760
computer and get it delivered right to your front door, and that changed everything.

00:00:58.760 --> 00:01:03.400
But there was a problem with this, too; not all these internet pharmacies were above board. They

00:01:03.400 --> 00:01:08.040
weren’t all licensed, and most of the time, the medicines they were selling weren’t regulated,

00:01:08.040 --> 00:01:13.680
and that makes for a really murky and dangerous scene. When rogue online pharmacies hit the

00:01:13.680 --> 00:01:18.760
market, underground partnerships were born to promote them and get more customers. Their

00:01:18.760 --> 00:01:24.560
public face looked authentic, but the reality was much darker. Their digital partners were

00:01:24.560 --> 00:01:30.240
internet spammers. Today’s internet is like a big mask. It’s full of shady characters

00:01:30.240 --> 00:01:36.000
trying to trick you. This story is a look behind closed doors at what really goes on,

00:01:36.000 --> 00:01:40.720
and how spammers and botnets and hackers have shaped how online pharmacies look

00:01:40.720 --> 00:01:50.937
today. When you venture into the depths of the internet, the consequences can be life-changing.

00:01:50.937 --> 00:01:53.280
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:01:53.280 --> 00:02:16.754
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:16.754 --> 00:02:20.560
JACK: When pharmacies started up online, getting medicines became much easier,

00:02:20.560 --> 00:02:25.760
and that was a game-changer for a lot of people. But there was still one big problem; the cost.

00:02:25.760 --> 00:02:31.640
These medicines were just unbelievably pricey. As more and more pharmacies became available online,

00:02:31.640 --> 00:02:35.560
people looking around for medicines started to notice a big price difference on certain

00:02:35.560 --> 00:02:40.680
sites. Some online pharmacies would show up and they had the same range of meds available,

00:02:40.680 --> 00:02:45.200
but they were a lot cheaper, and I mean like, half the price cheaper, and they didn’t even ask

00:02:45.200 --> 00:02:49.880
for a prescription. But these pharmacies weren’t the real thing. They were rogue,

00:02:49.880 --> 00:02:54.920
and pretty much everything on their website was fake. A lot of these rogue internet pharmacies

00:02:54.920 --> 00:03:00.240
advertised themselves under the Canadian Pharmacy brand. See, Canada is known for licensed

00:03:00.240 --> 00:03:05.080
medicines being available at much more reasonable prices. There’s a regulation on medicine there,

00:03:05.080 --> 00:03:09.800
so pharmacies are told by the government what prices to charge. So, when people thought these

00:03:09.800 --> 00:03:14.880
online meds were coming from Canada, they were less suspicious and more trusting. The reality

00:03:14.880 --> 00:03:20.480
though, is that these drugs were not being sold from Canada. Here’s an audio clip from

00:03:20.480 --> 00:03:25.360
the Partnership of Safe Medicines. Have a listen to what they say about online Canadian pharmacies.

00:03:25.360 --> 00:03:28.720
PSM: Have you ever Googled ‘Canadian online pharmacy’ and gotten like,

00:03:28.720 --> 00:03:33.120
forty million results? Most people don’t realize that these online pharmacies that they find in

00:03:33.120 --> 00:03:37.880
Google are not mom-and-pop businesses selling you inexpensive medicines because it’s the nice thing

00:03:37.880 --> 00:03:43.160
to do. They’re fronts for large, global criminal networks that run hundreds or even thousands of

00:03:43.160 --> 00:03:49.320
sites to sell unapproved drugs for huge profits. Sometimes the drugs aren’t FDA-approved. Sometimes

00:03:49.320 --> 00:03:54.506
they don’t have enough or any active ingredient, and sometimes they have deadly ingredients.

00:03:54.506 --> 00:03:58.160
JACK: [MUSIC] As the internet pharmacies were really starting to gain steam, the little blue

00:03:58.160 --> 00:04:04.280
pill rose in popularity. Big Pharma company Pfizer started making their Viagra pill to

00:04:04.280 --> 00:04:08.880
solve the problem of erectile dysfunction, and their marketing campaign was a throbbing

00:04:08.880 --> 00:04:15.880
success. By 2008, Viagra sales brought Pfizer $2 billion that year, which accounted for 92% of all

00:04:15.880 --> 00:04:21.400
erectile dysfunction pills. This pill had been prescribed to over thirty million men worldwide

00:04:21.400 --> 00:04:26.480
in the ten years it had been available. There’s been books written about Viagra and how it changed

00:04:26.480 --> 00:04:32.000
people’s lives, but Pfizer had a strict patent on the pill, and no generics were available. So,

00:04:32.000 --> 00:04:37.760
the only way you could get it was to buy the name-brand, expensive one. So, those shady

00:04:37.760 --> 00:04:43.200
online Canadian pharmacies became shadier. They decided to make their own Viagra pills,

00:04:43.200 --> 00:04:49.480
and the most important part of it was to make sure it was the same shape, size, color, and label.

00:04:49.480 --> 00:04:55.120
But it didn’t matter what the ingredients were. [MUSIC] These were fake pills. Some were harmless,

00:04:55.120 --> 00:05:02.040
but others contained blue printer ink or boric acid. The fake online Canadian pharmacies knew

00:05:02.040 --> 00:05:07.120
there was such a high demand for these pills that they wanted to cash in on that demand.

00:05:07.120 --> 00:05:13.840
In 2006, two Russians, Igor Gusev and Dmitry Stupin, set up their own online pharmacy called

00:05:13.840 --> 00:05:17.000
Glavmed. There’s a lot of characters in this story, and there’s actually

00:05:17.000 --> 00:05:22.640
a few different Dimitrys, so I’m sorry if it gets confusing. Now, their website, Glavmed,

00:05:22.640 --> 00:05:27.440
was nicely done and claimed to be part of the Canadian pharmacies group. But Glavmed was not

00:05:27.440 --> 00:05:32.520
a legit pharmacy. There was no requirement for a prescription, and no online pharmacist available

00:05:32.520 --> 00:05:37.640
to answer questions or check out each order. See, every legit pharmacy has a pharmacist

00:05:37.640 --> 00:05:43.200
working there. To be a pharmacist, you need a PharmD degree, which is a Doctor of Pharmacy,

00:05:43.200 --> 00:05:48.040
and you need to pass an exam to get a license. It’s important that a pharmacist checks every

00:05:48.040 --> 00:05:53.320
order, because certain drug combinations can be deadly, or even some drugs by themselves can be

00:05:53.320 --> 00:05:57.760
deadly and need proper warnings. But the Glavmed pharmacies didn’t care about that,

00:05:57.760 --> 00:06:02.960
and didn’t hire pharmacists. They sold everything from fake Viagra to pain medicines,

00:06:02.960 --> 00:06:07.760
and they were getting them from mass factories in Europe. It was like Amazon for meds; browse,

00:06:07.760 --> 00:06:11.440
click, add to your basket, pay, and go. That was it. No prescription needed.

00:06:11.440 --> 00:06:16.680
Igor had experience in some not-so-legal online businesses. Back in 2003, he had

00:06:16.680 --> 00:06:22.200
set up a payment processor in Russia with his business partner at the time, Pavel Vrublevsky.

00:06:22.200 --> 00:06:27.000
They called it ChronoPay, and it did pretty well. It wasn’t the most clean of operations,

00:06:27.000 --> 00:06:32.440
though. A lot of the payments ChronoPay was processing were for underground online pharmacies,

00:06:32.440 --> 00:06:39.000
or a lot of really shady porn sites. So, when Igor decided to set up his own fake internet pharmacy,

00:06:39.000 --> 00:06:43.680
it really wasn’t that much of a leap. Igor and Pavel had a falling out in 2005,

00:06:43.680 --> 00:06:47.840
and Pavel started running ChronoPay by himself, and that’s when Igor went and

00:06:47.840 --> 00:06:53.640
started Glavmed with Dmitry Stupin. To be successful, Glavmed needed customers. So,

00:06:53.640 --> 00:06:57.800
they needed to advertise. But they didn’t want to do the advertising themselves, so they set up an

00:06:57.800 --> 00:07:05.360
affiliate network. [MUSIC] They offered affiliates an impressive 30%-40% commission rate on each sale

00:07:05.360 --> 00:07:10.640
they drove to the Glavmed pharmacy sites. They would offer huge prizes and throw big parties

00:07:10.640 --> 00:07:15.240
for their affiliates, because they were trying to be the top affiliate network and attracted

00:07:15.240 --> 00:07:20.640
the best affiliates. These Russian affiliate networks were called Partnerka. It’s a good

00:07:20.640 --> 00:07:26.000
and tried and tested business model. Igor and Dmitry-Stupin only paid out when they got sales.

00:07:26.000 --> 00:07:29.080
The more money they were paying affiliates in commissions meant the more sales they

00:07:29.080 --> 00:07:33.760
were getting. They’d deal with all the ordering of the medicines, keep the stock up, taking payments

00:07:33.760 --> 00:07:38.640
from customers, and organizing the shipping. Their affiliates could concentrate on driving customers

00:07:38.640 --> 00:07:45.080
to the site using whatever advertising models they wanted. Glavmed wasn’t picky;

00:07:45.080 --> 00:07:49.400
anyone could sign up at this program and take a shot at making some money with it. If the

00:07:49.400 --> 00:07:54.520
methods they used were on the black hat side? Well, that didn’t bother them too much, either.

00:07:54.520 --> 00:07:59.000
Glavmed had a sister program called SpamIt, and they had an affiliate program, too. Now,

00:07:59.000 --> 00:08:04.360
SpamIt was a spam affiliate program. You can sign up for them, get your little affiliate code and

00:08:04.360 --> 00:08:09.160
whatever product SpamIt wanted you to market, and then spammers would send tons of e-mails out

00:08:09.160 --> 00:08:14.680
with that URL and tracking code. Truckloads of e-mails were sent to everyone across the globe,

00:08:14.680 --> 00:08:19.920
but mainly to people in the US, advertising things like Glavmed’s online pharmacies.

00:08:19.920 --> 00:08:24.320
When people clicked the link to go the website, that link had a little tracking code which gave

00:08:24.320 --> 00:08:28.840
the spammer credit for the traffic. So, if people do buy something, SpamIt knows which

00:08:28.840 --> 00:08:33.440
spammer sent them that customer. [MUSIC] But SpamIt was a secret program and sat

00:08:33.440 --> 00:08:37.920
under the Glavmed shadow. While anyone could sign up for an affiliate program at Glavmed,

00:08:37.920 --> 00:08:43.000
not anyone could be an affiliate at SpamIt. People needed to be invited from somebody who

00:08:43.000 --> 00:08:46.920
was already a member. Sometimes they’d even get background checks to have them

00:08:46.920 --> 00:08:52.520
prove themself as a decent spammer. You know what it’s like in your inbox; you get e-mails

00:08:52.520 --> 00:08:56.560
from your bank or your cell provider, great. But you also get a lot of other stuff too,

00:08:56.560 --> 00:09:01.600
stuff you didn’t ask for, and sometimes it’s way more than just an e-mail. Microsoft’s Digital

00:09:01.600 --> 00:09:05.583
Crimes Unit Senior Attorney Richard Boscovich explains it pretty well.

00:09:05.583 --> 00:09:09.440
RICHARD: [MUSIC] You could open up your e-mail account and you’ll have tons of advertisements and

00:09:09.440 --> 00:09:13.840
things of that sort that you just don’t want. But spam is much more than that. It’s kind of like if

00:09:13.840 --> 00:09:19.320
you had junk mail come to your house, and when you open the envelope, a white powder exploded on you

00:09:19.320 --> 00:09:25.440
and somehow you become infected with something. Literally, that’s what happens in the cyber world.

00:09:25.440 --> 00:09:28.760
JACK: Then you’ve got a lot of porn e-mails, the ones telling you that somebody is nearby

00:09:28.760 --> 00:09:34.000
and wants to hook up, and what websites to visit to see an exclusive show. Next to porn,

00:09:34.000 --> 00:09:39.160
it’s pills, and Viagra was the leading one. The little blue pill was sold in e-mails telling

00:09:39.160 --> 00:09:44.280
you how your sex life will be enhanced beyond your wildest imagination. See, back in 2007,

00:09:44.280 --> 00:09:49.600
e-mail spam filters weren’t that sophisticated yet. They would look for keywords or phrases and

00:09:49.600 --> 00:09:54.240
block them. Spammers figured out how to get around filters and were doing so pretty easily. So,

00:09:54.240 --> 00:09:59.200
people would see e-mails show up with the subject ‘want to be rock hard?’ with links to where they

00:09:59.200 --> 00:10:05.160
can buy Viagra without a prescription and for much cheaper. Now, e-mail spam laws did come in,

00:10:05.160 --> 00:10:09.280
eventually making it harder for spammers to send these kind of unsolicited e-mails, and the e-mail

00:10:09.280 --> 00:10:13.520
clients got way better at catching them and sticking them into dedicated spam folders.

00:10:13.520 --> 00:10:18.200
But the shadier businesses still did it because, well, spam was working like,

00:10:18.200 --> 00:10:22.600
really well. The more spam that went out meant more people were visiting the porn and pharmacy

00:10:22.600 --> 00:10:28.080
websites, and profits for both the spammers and the website owners. Spammers are like the middle

00:10:28.080 --> 00:10:32.800
men when it comes to shady online pharmacies. They might have a background in computers, IT,

00:10:32.800 --> 00:10:38.160
or hacking, but then got involved with sending spam because they can make more money from that.

00:10:38.160 --> 00:10:43.480
Damon McCoy is from George Mason University in Virginia. He was a lead author of a big study

00:10:43.480 --> 00:10:48.400
in the partnerships between spammers and the online pharmacies. This is him giving a talk

00:10:48.400 --> 00:10:54.220
‘PharmaLeaks’ in the 21st USENIX Security Symposium in 2012 in Bellevue, Washington.

00:10:54.220 --> 00:10:58.640
DAMON: So, there’s three main players in this economy; there’s the user, which is the potential

00:10:58.640 --> 00:11:03.680
customer, there’s the affiliate marketer, which is typically a spammer, and there’s the affiliate

00:11:03.680 --> 00:11:10.040
program. Let me go into a concrete example of a business interaction between these three parties.

00:11:10.040 --> 00:11:16.440
So, initially what happens is that the affiliate marketer perhaps gets the user to see some kind

00:11:16.440 --> 00:11:21.920
of spam advertisement that includes some kind of link, that includes some kind of enticement

00:11:21.920 --> 00:11:26.560
of cheap drugs, no prescriptions required, to get the user to click on this. If the user is

00:11:26.560 --> 00:11:32.000
actually interested in perhaps buying these pharmaceuticals, clicks on it, they’ll be

00:11:32.000 --> 00:11:38.040
delivered that template that I showed you in the original slide. The user can interact with this

00:11:38.040 --> 00:11:44.440
template just as with a normal e-commerce site. There’s a wide selection of drugs there. They

00:11:44.440 --> 00:11:49.800
can select their drugs if they indeed want to purchase some drugs from the site. Then at this

00:11:49.800 --> 00:11:55.720
point in time, the relationship switches from the affiliate whose job it is to track customers, to

00:11:55.720 --> 00:12:01.360
the affiliate program, whose job it is to actually monetize the customer and turn them into money.

00:12:01.360 --> 00:12:08.280
So at this point in time, the spammer fades out, the affiliate program steps in, and if the user

00:12:08.280 --> 00:12:13.640
decides to purchase this – typically purchases happen with credits cards – the user give their

00:12:13.640 --> 00:12:20.040
credit card details to the affiliate program – actually operates much like a business, and their

00:12:20.040 --> 00:12:27.280
job is to process these credit cards. Then they’ll actually deliver some product that you ordered,

00:12:27.280 --> 00:12:32.040
so this isn’t a complete scam. These pharmacy affiliate programs that I’ll show you operate

00:12:32.040 --> 00:12:37.360
much like a business, and they’re very interested in keeping their customers happy and satisfied,

00:12:37.360 --> 00:12:41.360
because these customers are paying with credit cards. If they’re not satisfied customers,

00:12:41.360 --> 00:12:45.560
they’re gonna charge back. These affiliate programs will be shortly out of business.

00:12:45.560 --> 00:12:47.960
I’ll show you from the economics, these affiliate programs are in

00:12:47.960 --> 00:12:52.200
it for the long haul and they want to scale their business to large,

00:12:52.200 --> 00:12:57.480
millions of dollars. So, it’s not in their interest to have dissatisfied customers.

00:12:57.480 --> 00:13:01.720
JACK: For a good spammer, this is a great deal. The more spam they send, the more money they

00:13:01.720 --> 00:13:05.720
can make. They knew if they could scale up, it would mean they could really scale up;

00:13:05.720 --> 00:13:09.560
their commissions could just go through the roof. This is what one guy figured out while

00:13:09.560 --> 00:13:15.280
he was earning himself some money with Glavmed and SpamIt. He called himself ‘Google’. Yeah I know,

00:13:15.280 --> 00:13:19.640
it’s confusing ‘cause it’s the name of the search engine, but that was the name he went by. So,

00:13:19.640 --> 00:13:23.800
this guy Google started spamming and he saw that it was pretty effective, and he tried thinking

00:13:23.800 --> 00:13:29.200
of ways that he could make more people visit the online pharmacy. Sending mass amounts of e-mail

00:13:29.200 --> 00:13:33.480
is not so easy. [MUSIC] Every e-mail that’s sent has an IP address of where it’s from,

00:13:33.480 --> 00:13:38.920
and if you send enough spam e-mail from a single IP address, that IP address gets added to an

00:13:38.920 --> 00:13:43.280
abuse or block list and e-mail providers will stop accepting e-mails from it. So,

00:13:43.280 --> 00:13:48.160
spammers would need to change their IP frequently, which can be a hassle. So,

00:13:48.160 --> 00:13:52.360
the hacker named Google thought if he could control of hundreds of different computers and

00:13:52.360 --> 00:13:58.280
send e-mails from them, then it would be harder for e-mail providers to block that many IPs.

00:13:58.280 --> 00:14:02.320
Taking control of a bunch of different computers like this and putting them all to work together,

00:14:02.320 --> 00:14:09.000
that’s called a botnet. When you combine spam with a botnet, you get an incredible working machine.

00:14:09.000 --> 00:14:14.760
So, you can think of a botnet like a big network of computers that someone has full control over

00:14:14.760 --> 00:14:20.280
all of them. So, from a single workstation, they can tell all the computers to carry out a task,

00:14:20.280 --> 00:14:24.960
and these computers would be people’s home computers or laptops, or even work computers

00:14:24.960 --> 00:14:29.360
in the office, and they can be located all over the world. But these people didn’t

00:14:29.360 --> 00:14:34.240
sign up for their computer to be used like this. So, because nobody would opt into this,

00:14:34.240 --> 00:14:38.560
it meant people running the botnets would have to stay hidden from the user and not let their

00:14:38.560 --> 00:14:45.400
presence be known. In 2007, Vint Cerf, he’s the guy who co-developed the TCP/IP protocols,

00:14:45.400 --> 00:14:50.320
he said of the 600 million computers connected to the internet, between 100 and [MUSIC] 150

00:14:50.320 --> 00:14:55.580
million of them were already part of a botnet. Here’s Kaspersky talking about how they work.

00:14:55.580 --> 00:15:01.280
CLIP: Malicious software, or malware, can harm your computer in a variety of ways, and sometimes

00:15:01.280 --> 00:15:06.640
the effects are not known until it’s too late. What’s worse, your computer can become one of

00:15:06.640 --> 00:15:13.240
many infected with malware, creating a botnet, short for robot and network. Cyber criminals use

00:15:13.240 --> 00:15:19.200
special malware, usually a Trojan Horse, to breach the security of several users’ computers. These

00:15:19.200 --> 00:15:24.920
take control of each computer and organize all of the infected machines into a network of bots,

00:15:24.920 --> 00:15:30.360
which are unwitting tools that the cyber criminal can remotely manage. The infected system may act

00:15:30.360 --> 00:15:37.720
completely normal with no warning signs. A bot can be a PC, Mac, or even a smart phone. Oftentimes,

00:15:37.720 --> 00:15:42.480
the cyber criminal will seek to infect and control thousands, tens of thousands, or even

00:15:42.480 --> 00:15:48.946
millions of computers so that they can act as the master of a large zombie network or bot network.

00:15:48.946 --> 00:15:52.760
JACK: [MUSIC] Once infected, computers are hooked into a botnet, and they sit there quietly waiting

00:15:52.760 --> 00:15:57.040
for instructions. It’s like hundreds of thousands of obedient little puppies just sitting in

00:15:57.040 --> 00:16:02.400
silence, ears pricked up, and waiting to be told what to do next. They’re obedient and will follow

00:16:02.400 --> 00:16:06.920
the instructions they’re given. Computers in a botnet are the most loyal machines you’ll ever

00:16:06.920 --> 00:16:13.600
find. But all botnets are created by someone, and that someone is called a botmaster or botherder,

00:16:13.600 --> 00:16:18.320
and Google wanted to become a botmaster. A botmaster sits behind their computer,

00:16:18.320 --> 00:16:22.880
controlling it all. It’s all done remotely and it’s all done anonymously. These guys

00:16:22.880 --> 00:16:26.800
don’t reveal their identities. In fact, one of the biggest problems in trying to fight a

00:16:26.800 --> 00:16:31.920
botnet is not knowing who the botmaster is, or where in the world they’re even located.

00:16:31.920 --> 00:16:36.680
Botnets are controlled through a command and control server, which I like to call C&C. Some

00:16:36.680 --> 00:16:41.920
people call them C2s. This has to be set up and maintained by the botmaster. Even hackers need

00:16:41.920 --> 00:16:47.480
to host their stuff, and C&C is like the nucleus of a cell. All the key information, instructions,

00:16:47.480 --> 00:16:51.880
and communication with the zombie bots in the network go through here. Once the bots

00:16:51.880 --> 00:16:57.080
have carried out their specified task, they send feedback back to the C&C. They like to

00:16:57.080 --> 00:17:02.840
report back on how well they did and any problems they hit. They’re very well-trained bots. Botnets

00:17:02.840 --> 00:17:06.360
have been used for all sorts of things in the past. I mean, think about it, you’ve got all

00:17:06.360 --> 00:17:11.960
these computers at your command. The combined computing power is insane. You set that thing

00:17:11.960 --> 00:17:16.800
loose and you can cause some serious damage. DDoS attacks are a favourite for botmasters and

00:17:16.800 --> 00:17:22.000
their botnets. But bots can also steal personal information and banking information. But the one

00:17:22.000 --> 00:17:28.560
thing botnets are really good at is sending out mass volumes of spam e-mails. [MUSIC] So,

00:17:28.560 --> 00:17:32.840
Google had sat and thought about ways he could gain access to hundreds of computers.

00:17:32.840 --> 00:17:37.040
He needed to infect them somehow with malware, and would bring them under his control. He

00:17:37.040 --> 00:17:42.200
decided to use a Trojan to be the installer for his own spam botnet, but this really wasn’t easy.

00:17:42.200 --> 00:17:46.720
Getting all this just right was something Google puzzled over, and so, he ended up accepting some

00:17:46.720 --> 00:17:52.960
help. Igor Vishnevsky was another spammer that Google met years before in Moscow, and he came

00:17:52.960 --> 00:17:58.480
on board to help protect it all. By the time they were done, hacker Google and Igor Vishnevsky had

00:17:58.480 --> 00:18:04.560
built a botnet and called it Cutwail. Cutwail was designed as a centralized botnet. That meant

00:18:04.560 --> 00:18:10.160
the C&C server would communicate directly with each infected computer. They designed it well,

00:18:10.160 --> 00:18:14.760
but now they needed to populate it by infecting hundreds of computers to get them to join this

00:18:14.760 --> 00:18:19.680
botnet. Google used a Trojan called Pushdo to infiltrate Windows computers and get the

00:18:19.680 --> 00:18:25.400
Cutwail spam engine running on them. I don’t know who built Pushdo, or even if Google had something

00:18:25.400 --> 00:18:30.600
to do with it himself. But Pushdo and Cutwail went hand-in-hand in their interoperability.

00:18:30.600 --> 00:18:35.640
They were a pair that was rarely seen without the other, but it did happen occasionally. Pushdo

00:18:35.640 --> 00:18:39.400
would infect machines through phishing e-mails; like, the e-mail might say, ‘Someone just sent

00:18:39.400 --> 00:18:44.200
you an eCard. Click here to see it!’, and other methods were drive-by downloads. But that was just

00:18:44.200 --> 00:18:50.280
a dropper, a tiny program whose job was to install Pushdo. The dropper scans computers, hunting for

00:18:50.280 --> 00:18:54.560
gaps in the software. Maybe the operating system hasn’t been updated in a while, or there’s an app

00:18:54.560 --> 00:19:00.680
that has a vulnerability. Once it finds this, it then installs Pushdo starts the infection. First,

00:19:00.680 --> 00:19:05.640
it makes a copy of itself and sits quietly in the system directory. It also writes new code

00:19:05.640 --> 00:19:10.080
for the registry. This enables new malware and updates to be installed every time the computer

00:19:10.080 --> 00:19:15.200
starts up. Rootkits are installed to hide all this from the user and from any antivirus programs that

00:19:15.200 --> 00:19:20.880
were installed. When those tasks are done, Pushdo gets on with its real purpose, [MUSIC] downloading

00:19:20.880 --> 00:19:27.080
more malware, and Cutwail was at the top of the list. Once Cutwail downloads and runs for

00:19:27.080 --> 00:19:32.400
the first time, the computer is now a zombie machine. It’s a slave and part of the Cutwail

00:19:32.400 --> 00:19:39.200
botnet. Straight away, Cutwail contacts hardcoded IP addresses to talk to the C&C server controlled

00:19:39.200 --> 00:19:44.040
by the hacker Google. This is the new bot asking for instructions on what it should do now, like

00:19:44.040 --> 00:19:50.520
an obedient puppy that it is. The C&C server sends back a full spam creation pack for the bot to use.

00:19:50.520 --> 00:19:54.240
So, the zombie machine gets a list of active e-mail addresses to send spam to,

00:19:54.240 --> 00:19:58.520
and there’s a heap of e-mail templates with content already written and ready to go. This

00:19:58.520 --> 00:20:02.920
was already written and tested that it could pass through spam filters. The bots put all

00:20:02.920 --> 00:20:07.360
this together and starts sending the e-mails out in different spam campaigns. It’s important to

00:20:07.360 --> 00:20:11.760
mention a little bit about how e-mails work here. It’s incredibly easy to spoof where an

00:20:11.760 --> 00:20:15.720
e-mail is from. That little From: field in the e-mail? Yeah, you can write whatever you want

00:20:15.720 --> 00:20:19.720
in there. In the early days of the internet, there were no checks to see if an e-mail came

00:20:19.720 --> 00:20:25.120
from where it says it came from. But now, a lot of companies have added checks to verify that From:

00:20:25.120 --> 00:20:30.440
field is where the e-mail actually came from, it matches. But when Cutwail was going around,

00:20:30.440 --> 00:20:34.480
that feature wasn’t implemented very well, so you could put whatever you wanted from the From:

00:20:34.480 --> 00:20:38.880
field. So, this was all going very well for hacker Google. He was getting Cutwail

00:20:38.880 --> 00:20:42.840
into computers and collecting his zombie bots. The numbers were adding up fast,

00:20:42.840 --> 00:20:47.240
and he didn’t want to just stop there. He started to offer Cutwail out to rent.

00:20:47.240 --> 00:20:52.800
He was advertising his botnet on SpamIt underground’s web forums called spamdot.biz. Now,

00:20:52.800 --> 00:20:57.280
this is a place where hackers and spammers would go to share information, hire software, or sell

00:20:57.280 --> 00:21:02.480
malware, all illegal and dodgy. There are loads of reasons why a ready-made botnet would appeal

00:21:02.480 --> 00:21:07.320
to some cyber criminals, but mainly it was because they wanted their own malware installed on as many

00:21:07.320 --> 00:21:13.160
machines as possible and to send out crazy amounts of spam. [MUSIC] There were some standard prices

00:21:13.160 --> 00:21:19.240
for botnet hires. Like, to use a botnet that has 10,000 installations, that would go for like, $300

00:21:19.240 --> 00:21:24.040
or $800. Machines in the US were more valuable targets; they had better internet connection,

00:21:24.040 --> 00:21:30.280
so they were up to $125 for 1,000 machines infected. The computers in Asia and Europe,

00:21:30.280 --> 00:21:36.120
they were cheaper, at about $13-$35 per 1,000 infections. Some were even paying as high as

00:21:36.120 --> 00:21:42.760
$10,000 a month to use a botnet which could send 100 million e-mails every day. These services

00:21:42.760 --> 00:21:48.280
often came with free trials to prove how effective they are. There was another Trojan or botnet

00:21:48.280 --> 00:21:53.920
called the Gameover ZeuS Trojan, and that stole personal information and banking information.

00:21:53.920 --> 00:22:01.240
It was installed on millions of computers using Pushdo and the Cutwail botnet. This ZeuS Trojan

00:22:01.240 --> 00:22:05.720
is so fascinating to me, that’s actually going to be the subject of the entire next episode,

00:22:05.720 --> 00:22:17.760
so make sure to tune into that. [MUSIC] So, Cutwail was a roaring success and was growing

00:22:17.760 --> 00:22:22.920
fast. This was all going in 2007. In case you’re curious where Google got all the e-mail addresses

00:22:22.920 --> 00:22:27.560
from, underground hacker marketplaces. You can buy a million e-mails addresses for like,

00:22:27.560 --> 00:22:32.280
twenty-five or fifty bucks, and Cutwail was amassing hundreds of millions of addresses

00:22:32.280 --> 00:22:37.680
this way. The Cutwail botnet eventually became a self-service tool. Once you purchased the usage

00:22:37.680 --> 00:22:42.160
of the botnet, you were given a URL which let you login and send your e-mail from. There,

00:22:42.160 --> 00:22:46.960
you were given multiple support contacts in case you needed help. Even the botnet creators knew

00:22:46.960 --> 00:22:51.280
that a satisfied customer would mean a repeat customer, so they wanted to do what they could

00:22:51.280 --> 00:22:57.000
to make the user experience enjoyable. Cutwail soon passed 100,000 infected computers and was

00:22:57.000 --> 00:23:02.680
growing in size. Remember, this botnet was sending spam e-mails from each of the infected computers.

00:23:02.680 --> 00:23:05.720
The more computers they had in their botnet, the harder it would be to block

00:23:05.720 --> 00:23:09.680
this botnet from sending spam, because it wasn’t sending spam from one place;

00:23:09.680 --> 00:23:14.880
it was sending spam from 100,000 different places. The Cutwail botnet just kept growing,

00:23:14.880 --> 00:23:20.840
and soon, it had over one million infected computers at its control. At its highest point,

00:23:20.840 --> 00:23:30.040
the botnet was sending out 51 million spam e-mails every minute. 51 million e-mails a minute. Hacker

00:23:30.040 --> 00:23:37.080
Google could send 74 billion spam e-mails a day through Cutwail. Google used his own botnet to

00:23:37.080 --> 00:23:42.120
send pharmacy spam using Glavmed and SpamIt affiliates. From that alone, he was earning

00:23:42.120 --> 00:23:48.320
$1,000 a day from affiliate commissions. [MUSIC] Just months after Cutwail launched on September 2,

00:23:48.320 --> 00:23:54.960
2007, there was a big car accident in Moscow that shook up the world of spam botnets. Nikolai McColo

00:23:54.960 --> 00:23:59.640
was twenty-three years old and he was the owner of McColo Corp, which was a web hosting provider,

00:23:59.640 --> 00:24:04.320
and its headquarters were in San Jose, California. Now, Google knew McColo,

00:24:04.320 --> 00:24:09.720
and hosted his C&C servers at McColo Corp, because when you’re running a massive, shady,

00:24:09.720 --> 00:24:14.840
illegal operation like this, you want to host your servers at a place you know and trust.

00:24:14.840 --> 00:24:19.760
Nikolai and McColo Corp were known for turning a blind eye to what their clients were doing

00:24:19.760 --> 00:24:24.760
with their servers. So, the McColo hosting provider was a safe haven for spammers,

00:24:24.760 --> 00:24:29.680
and criminals were happy to use the service. There was a lot of criminal activity on McColo’s

00:24:29.680 --> 00:24:35.960
servers; from hosting big spam botnets to clients involved in spamming for fake goods, fake drugs,

00:24:35.960 --> 00:24:42.520
and a lot of shady pornography. McColo Corp had a good reputation for hosting bad things. So,

00:24:42.520 --> 00:24:49.960
on September 2, 2007, Nikolai McColo was riding in a BMW through Moscow. The driver was a guy

00:24:49.960 --> 00:24:55.920
named Jaks, a known Russian spammer. When they got to an intersection in the middle of Moscow city,

00:24:55.920 --> 00:25:01.600
a Porsche drove up beside them. Jaks and Nikolai looked over at the Porsche. Both

00:25:01.600 --> 00:25:07.080
cars came to a red light and stopped side by side. One of them revved the engine;

00:25:07.080 --> 00:25:11.920
the other revved back. A race was about to begin. When the lights turned green,

00:25:11.920 --> 00:25:17.360
both cars roared off at high speed, but it all went wrong. Jaks lost control of

00:25:17.360 --> 00:25:21.320
his car. The BMW went into a spin and clipped the corner of the Porsche.

00:25:21.320 --> 00:25:26.880
Both cars went screaming off the road, and the BMW went straight into a lamppost. It totally

00:25:26.880 --> 00:25:32.520
destroyed the car, and Nikolai was killed instantly at the age of twenty-three. Jaks

00:25:32.520 --> 00:25:37.640
and the guy driving the Porsche walked away with minor injuries. This was big news across

00:25:37.640 --> 00:25:43.040
the spammer community. At Nikolai’s funeral, Igor and Dmitry-Stupin from Glavmed were there,

00:25:43.040 --> 00:25:48.520
and Google was, too. They knew the importance of Nikolai’s McColo Corp for the spamming world and

00:25:48.520 --> 00:25:52.960
its hosting services, and they were fairly close to him. So, they were wondering how

00:25:52.960 --> 00:25:58.840
Nikolai’s death was going to impact McColo and the hosting. The McColo group assured them that

00:25:58.840 --> 00:26:03.880
hosting would still be fine and all was good. So, Google went with it and left his Cutwail

00:26:03.880 --> 00:26:09.880
servers with them. Now, Cutwail wasn’t the only successful spam botnet on the go at the time. No,

00:26:09.880 --> 00:26:14.120
there were others; Google wasn’t the only one who spotted this opportunity. [MUSIC] Other guys

00:26:14.120 --> 00:26:18.360
with existing botnets saw this and wanted to monetize and earn some serious money,

00:26:18.360 --> 00:26:23.760
too. One spammer had multiple affiliate accounts with SpamIt, and they called themselves Cosma.

00:26:23.760 --> 00:26:29.240
Now, Cosma had signed up as an affiliate spammer soon after SpamIt set up in 2006.

00:26:29.240 --> 00:26:33.560
He generally used the handle ‘Cosma2k’ on his affiliate accounts, but there were others,

00:26:33.560 --> 00:26:39.880
too. He had an idea to propel himself to be one of the most successful spammers ever. Cosma built

00:26:39.880 --> 00:26:44.360
a botnet called Rustock, and he had some of his command and control servers hosted with

00:26:44.360 --> 00:26:50.200
McColo Corp, too. He’d been toying with the idea of doing some kind of stock manipulation scam,

00:26:50.200 --> 00:26:55.320
but once he got involved with SpamIt, he saw he could really make some money. In 2007, Cosma

00:26:55.320 --> 00:27:01.120
switched Rustock to be a pharmacy-spamming botnet. Rustock was a little bit different than Cutwail;

00:27:01.120 --> 00:27:05.360
Windows machines were still the targets, and computers were infected in a similar way through

00:27:05.360 --> 00:27:10.760
malware download, but Rustock malware didn’t launch straightaway. No, Cosma programmed Rustock

00:27:10.760 --> 00:27:16.320
to just sit quietly, do absolutely nothing for five days after infecting a computer,

00:27:16.320 --> 00:27:21.960
which is kinda crafty. This helped it hide from antivirus scans. Rustock used some custom

00:27:21.960 --> 00:27:26.840
encryption techniques so when it downloaded, it just looked like a .rar file, a compressed

00:27:26.840 --> 00:27:31.920
archive file. It ran complicated rootkits to embed itself into the infected machine.

00:27:31.920 --> 00:27:36.400
Debugging programs were automatically disabled, and Rustock would hide its tracks

00:27:36.400 --> 00:27:40.040
so that it couldn’t be discovered. Once Rustock infected a machine,

00:27:40.040 --> 00:27:45.280
that computer would contact Cosma’s C&C servers, just like Cutwail, but Cosma had things set up

00:27:45.280 --> 00:27:49.520
a little differently here, too. He had more than one command server, and communication

00:27:49.520 --> 00:27:54.160
from these servers to his bots were done in more like a relay at different levels. So,

00:27:54.160 --> 00:27:58.480
Cosma would send communication to a secondary command and control server, and that one would

00:27:58.480 --> 00:28:02.960
then talk to another set of C&C servers lower down, and they would be the one who passed on the

00:28:02.960 --> 00:28:08.080
information to the bots making up the botnet. One reason for having so many C&C servers is it makes

00:28:08.080 --> 00:28:14.000
it harder to stop a botnet. If a huge botnet has one C&C server and you take down that C&C server,

00:28:14.000 --> 00:28:18.720
you might lose complete control of the botnet. So, Cosma programmed it this way in order to keep

00:28:18.720 --> 00:28:23.080
it up longer. [MUSIC] The same kind of feedback went on for the bots; when they needed to tell

00:28:23.080 --> 00:28:27.920
Cosma something, they would go down the chain and relay messages all the way back to Cosma somehow.

00:28:27.920 --> 00:28:31.880
So, while Cutwail was centralized, which is one computer talking to many bots,

00:28:31.880 --> 00:28:37.120
Rustock was decentralized, where thousands of systems would issue commands to infected machines.

00:28:37.120 --> 00:28:43.000
Cosma had something like 2,500 domains in place for Rustock. The botnet used DNS for the bots

00:28:43.000 --> 00:28:49.960
to connect to. But Cosma had also coded in some specific IP addresses as backup systems. It was

00:28:49.960 --> 00:28:54.920
contingency planning. If some of his C&C servers got taken down, the botnet would just reach out

00:28:54.920 --> 00:28:59.880
to the hardcoded IP addresses and get an update on which new IP addresses to communicate with,

00:28:59.880 --> 00:29:04.360
and it would just carry on after that. Rustock also used TLS encryption when sending spam to

00:29:04.360 --> 00:29:09.240
conceal what it was doing. Cosma’s C&C servers were dotted all over the US, and he was paying

00:29:09.240 --> 00:29:15.360
a fair whack for them too, about $10,000 each month. These were servers with dodgy ISPs,

00:29:15.360 --> 00:29:20.680
known for offering hosting to shady services. Cosma did have some of his servers with McColo,

00:29:20.680 --> 00:29:26.240
yeah, but he rented servers from straight-up legitimate ISPs, too. These ISPs had no idea

00:29:26.240 --> 00:29:31.160
what Cosma was using them for. This was a spam botnet hiding in plain sight.

00:29:31.160 --> 00:29:38.680
Rustock grew into an enormous powerful botnet. Cosma had collected between 850,000 to 2.4

00:29:38.680 --> 00:29:44.200
million bots on his network. It became so big that some estimate that Rustock botnet

00:29:44.200 --> 00:29:51.840
was responsible for 41% of the total spam in the world. Each individual bot was sending over 192

00:29:51.840 --> 00:29:59.120
spam e-mails per minute. That put the collective Rustock output at 32 million e-mails per minute.

00:29:59.120 --> 00:30:06.400
That’s 46 billion e-mails a day. That’s just insane. In November 2008, Cosma got twitchy

00:30:06.400 --> 00:30:11.760
about hosting at McColo Corp, so he started moving his Rustock servers to different providers based

00:30:11.760 --> 00:30:18.200
in Russia instead. Cosma, it seems, wasn’t taking any chances with his botnet. [MUSIC] As Cosma was

00:30:18.200 --> 00:30:24.120
seeing huge success with Rustock as a spam botnet, Pavel was reappearing on the scene. He was the guy

00:30:24.120 --> 00:30:29.200
who created ChronoPay with Igor, and then Igor went off to make Glavmed. Pavel was still running

00:30:29.200 --> 00:30:34.000
ChronoPay, but he wanted to get in on some of this other action, too. That year, he launched his own

00:30:34.000 --> 00:30:40.840
rogue online pharmacy, RX-Promotion, which would be a direct competitor to Glavmed, Igor’s company.

00:30:40.840 --> 00:30:45.200
But he didn’t launch it on his own; he had a new partner, Yuri Kabayenkov,

00:30:45.200 --> 00:30:50.200
who did all the tech stuff for him. So now, Igor and Pavel were going head-to-head in a

00:30:50.200 --> 00:30:55.120
battle to secure more of the online pharmacy market than their rival. Pavel, though,

00:30:55.120 --> 00:31:00.160
decided to appeal to a different part of the online medicine market demand. Igor and Dmitry

00:31:00.160 --> 00:31:04.520
Stupin were pushing erectile dysfunction drugs as their top seller. They were selling their

00:31:04.520 --> 00:31:09.520
knock-off versions for a mark-up of twenty-five times what they bought them for. Pavel instead

00:31:09.520 --> 00:31:14.720
went on to highly addictive medicines that people often abused, like opiates. So,

00:31:14.720 --> 00:31:19.800
he was selling Oxycodone and Valium, and others like Adderall and Ritalin. These would be his top

00:31:19.800 --> 00:31:25.800
medicines, and all for really cheap prices. Pavel opened RX-Partners not long after,

00:31:25.800 --> 00:31:30.960
using the same model that Glavmed and SpamIt used. RX-Partners was the affiliate program for

00:31:30.960 --> 00:31:36.360
RX-Promotion. Spammers that were signed up with SpamIt happily opened up accounts on RX-Partners,

00:31:36.360 --> 00:31:40.920
too. They didn’t care who they were promoting, as long as it made money for them. Some of the

00:31:40.920 --> 00:31:45.160
figures that the top spammer affiliates were earning in commissions was pretty mind-blowing.

00:31:45.160 --> 00:31:49.340
Here’s Damon McCoy again talking about the data he analyzed when drilling this down.

00:31:49.340 --> 00:31:52.720
DAMON: Let’s look at some of the schemes that these high – that these top-earning

00:31:52.720 --> 00:31:59.120
affiliates use to be successful spammers. So, an obvious one to think of is, right,

00:31:59.120 --> 00:32:02.800
run a large bot network and spew out a whole bunch of spam. So, in fact,

00:32:02.800 --> 00:32:10.760
the operator Rustock, we identified him within the SpamIt data set and in fact, he made close

00:32:10.760 --> 00:32:18.000
to $2 million by operating Rustock and sending out spam shilling for the Glavmed-SpamIt program. So,

00:32:18.000 --> 00:32:23.160
that indeed is a very good way of becoming a successful marketer, is run a large bot

00:32:23.160 --> 00:32:28.040
network. So, as you could see, these top earners, they earn quite a bit of money,

00:32:28.040 --> 00:32:33.160
and they in fact earn the largest share of each individual sale. However, the affiliate programs,

00:32:33.160 --> 00:32:38.960
if the affiliate programs are very successful, they in fact can earn more by taking a smaller

00:32:38.960 --> 00:32:43.600
portion of each sale over all the sales from their affiliate program than the individual affiliates.

00:32:43.600 --> 00:32:47.760
JACK: It must be exciting for the spamming botmaster. Think about it; you’ve worked

00:32:47.760 --> 00:32:52.640
really hard, made this big botnet, infected all these hosts, launched your campaign, and sent out

00:32:52.640 --> 00:32:57.160
a ton of e-mails, and now you’re looking at the dashboards on Glavmed and SpamIt and you’re just

00:32:57.160 --> 00:33:02.080
watching your numbers grow, seeing the rewards pay out in real-time, and watching the earnings get

00:33:02.080 --> 00:33:08.360
higher and higher. That must have been a pretty big kick for these botmasters. [MUSIC] 2008 turned

00:33:08.360 --> 00:33:14.440
out to be a busy year for spam botnets, and this next botnet was probably the most complex of them

00:33:14.440 --> 00:33:21.320
all. The Waledac botnet was started by a guy named Severa. He was known on the spamdot.biz forum,

00:33:21.320 --> 00:33:25.960
but just like the other botmasters, he kept himself totally in the shadows. Waledac used

00:33:25.960 --> 00:33:30.720
similar methods as the others to get computers infected and part of its network. Social

00:33:30.720 --> 00:33:35.440
engineering trickery, innocent looking e-mails that had an attachment of malware or a link to

00:33:35.440 --> 00:33:39.840
malware, and once you clicked on it, Waledac would unleash itself into the machine, turning

00:33:39.840 --> 00:33:45.600
it into a spamming bot. Once a machine had been infected, Waledac binaries were let loose. It was

00:33:45.600 --> 00:33:52.560
coded in C++. The executables were just under 1MB in size. As all the other botnets did, the first

00:33:52.560 --> 00:33:57.000
task of the malware was to amend the machines registry so that each time the computer starts up,

00:33:57.000 --> 00:34:01.840
Waledac would be run to check for updates and keep the machine as an active spam bot.

00:34:01.840 --> 00:34:06.840
Waledac was designed to be a spamming machine. It was crafted to collect bots, grow in size,

00:34:06.840 --> 00:34:12.240
and distribute mass spam e-mail campaigns. In the core binaries of the malware was an

00:34:12.240 --> 00:34:17.200
SMTP engine which could communicate with an SMTP server and send e-mails. The malware

00:34:17.200 --> 00:34:21.720
can deal with two types of HTTP traffic; the control message to the C&C servers,

00:34:21.720 --> 00:34:27.480
and the normal HTTP traffic to and between the Waledac bots. [MUSIC] Waledac was structured in

00:34:27.480 --> 00:34:32.320
a different way compared to Rustock and Cutwail. It was a custom-written, peer-to-peer structured

00:34:32.320 --> 00:34:38.120
botnet with a maze of layers for its infected machines. It had categories for its bots and

00:34:38.120 --> 00:34:42.920
different communication routes. The C&C servers did not communicate directly with the infected

00:34:42.920 --> 00:34:48.320
machines. It was all designed for resiliency and to protect itself and to hide from anyone who was

00:34:48.320 --> 00:34:52.840
trying to find it. Over in Canada, there’s an engineering school connected to Montreal

00:34:52.840 --> 00:34:58.520
University. It’s called Polytechnique Montreal. Two security researchers there, Joan Calvet and

00:34:58.520 --> 00:35:03.840
Carlton Davis, and Pierre-Marc Bureau who was from US internet security company ESET, well,

00:35:03.840 --> 00:35:08.880
they got ahold of these binaries from Waledac and started reverse-engineering them. What they found

00:35:08.880 --> 00:35:15.280
revealed a complicated botnet. Waledac didn’t miss an opportunity to steal data that it could use.

00:35:15.280 --> 00:35:20.040
It would scan the hard drives of infected machines and sniff their network traffic. It was hunting

00:35:20.040 --> 00:35:24.520
for e-mail addresses and passwords that it could steal and send it up the communication chain

00:35:24.520 --> 00:35:29.320
back to the command and control servers, straight into the hands of Severa. When thinking about how

00:35:29.320 --> 00:35:34.480
Waledac was structured, imagine a big pyramid. The base layer, the biggest layer, were the spam bots,

00:35:34.480 --> 00:35:38.680
the infected Windows machines, and they were the worker bees, the ones who were actually sending

00:35:38.680 --> 00:35:44.400
out spam e-mails. These spam bot machines couldn’t talk to each other, only to the layer above them,

00:35:44.400 --> 00:35:49.320
who the researchers called the repeaters. This layer were infected Windows machines that had

00:35:49.320 --> 00:35:53.880
public IP addresses. But these didn’t send out any spam; their job was to pass information

00:35:53.880 --> 00:35:59.160
between the worker bots and the communicator bots. They could talk to each other and to the

00:35:59.160 --> 00:36:04.120
layer above in this pyramid. The third layer was the protector group. They were the Linux servers,

00:36:04.120 --> 00:36:08.160
which the researchers thought acted as proxies for the core C&C servers. They

00:36:08.160 --> 00:36:12.760
were the protection layer, hiding the valuable servers from sight. The five of these servers

00:36:12.760 --> 00:36:16.680
that researchers identified were scattered across the globe in locations like Germany,

00:36:16.680 --> 00:36:21.600
the US, Netherlands, and Russia, and all had at least one protector server.

00:36:21.600 --> 00:36:26.280
The only layer above them and sitting at the top of the pyramid was the actual C&C server for

00:36:26.280 --> 00:36:33.720
Waledac. [MUSIC] Waledac also used this layered system of lists in its structures, too. So,

00:36:33.720 --> 00:36:38.520
all the spammer bots had their own hardcoded list of repeater bots that they’d have to deal with,

00:36:38.520 --> 00:36:45.200
like, 200 of them, all communicating through .xml files using encrypted registry keys. Now,

00:36:45.200 --> 00:36:48.920
they would contact a random set of these repeaters to get updates,

00:36:48.920 --> 00:36:52.960
and they would also send the repeater another list of repeater bots taken from the original

00:36:52.960 --> 00:36:57.560
list of 200. It’s confusing just for me to try to figure out what’s going on here,

00:36:57.560 --> 00:37:00.680
but that’s a lot of lists, and there’s a lot of different layers here and a lot of

00:37:00.680 --> 00:37:04.560
different bots that you have to juggle as the botmaster. But all this worked

00:37:04.560 --> 00:37:09.640
in harmony and was acting pretty smoothly. The Waledac botnet was pretty successful,

00:37:09.640 --> 00:37:14.960
and it kept its botmaster earning some pretty good money. [MUSIC] Before that year was out though,

00:37:14.960 --> 00:37:20.360
the other spam botnets would take a hit. The McColo web host provider was forcibly taken down

00:37:20.360 --> 00:37:25.840
on November 11, 2008. Their not-so-ethical practices had finally caught up with them.

00:37:25.840 --> 00:37:29.880
After a number of reports highlighting the shady nature of what McColo was doing,

00:37:29.880 --> 00:37:33.280
their two US-based internet providers, Global Crossing and Hurricane Electric,

00:37:33.280 --> 00:37:38.240
pulled the plug on them. Suddenly, a big chunk of these botnets lost their hosting provider,

00:37:38.240 --> 00:37:43.920
and the spam volume across the world just took a huge drop. Like, suddenly something around 80%

00:37:43.920 --> 00:37:50.120
of all spam worldwide just stopped. Cosma had already moved some of his servers from McColo,

00:37:50.120 --> 00:37:55.360
but not all. Google had most of his servers for Cutwail there. This was enough to make

00:37:55.360 --> 00:38:00.880
both botnets stunned and immobile, but the effect was short-lived. A few days later,

00:38:00.880 --> 00:38:05.200
McColo reactivated one of their servers in the exact same location where it was before,

00:38:05.200 --> 00:38:10.360
in San Jose, California. When that server came online, the Rustock botnet came online again,

00:38:10.360 --> 00:38:15.680
too. But within weeks, that botnet found a new hosting provider. C&C servers were reconfigured

00:38:15.680 --> 00:38:21.400
to send new sever information to all the bots, and the spamming machines got rolling again. Spam

00:38:21.400 --> 00:38:27.320
volumes once again began to climb. [MUSIC] By the middle of 2009, pharma e-mail spam

00:38:27.320 --> 00:38:33.440
was dominating the global spam market. 74% of all spam e-mails were pushing for dodgy online

00:38:33.440 --> 00:38:39.680
pharmacies. 67% of all that spam was promoting the Canadian Pharmacy brands like Glavmed and

00:38:39.680 --> 00:38:48.040
SpamIt. That year, spam botnets were sending an average of 150 billion spam messages a day.

00:38:48.040 --> 00:38:51.480
Cutwail was riding high again, but it took another big hit in June that year,

00:38:51.480 --> 00:38:55.880
when again it lost the hosting of its master C&C servers. Another hosting provider based

00:38:55.880 --> 00:39:00.800
in California was called 3FN, and hacker Google had loads of his servers there,

00:39:00.800 --> 00:39:06.320
especially after the McColo takedown a year before. 3FN was like a repeat of McColo. It

00:39:06.320 --> 00:39:11.400
was sort of known for hosting things that were dodgy or crime-ridden, like child pornography

00:39:11.400 --> 00:39:16.800
websites. The FTC stepped in and shut it down on June 4, 2009. When that happened,

00:39:16.800 --> 00:39:21.680
there was a noticeable drop in e-mail spams being sent as a result, but nowhere near as big as the

00:39:21.680 --> 00:39:26.760
one after the McColo takedown. But a few months after that, the Cutwail botnet was back at it

00:39:26.760 --> 00:39:31.600
and just as strong as ever. The botnets were once again at full steam, but they were also

00:39:31.600 --> 00:39:37.200
in the crosshairs of some determined people who wanted to take them down. Security analysts,

00:39:37.200 --> 00:39:41.840
academics, and software companies, and big brand pharmaceutical companies like Pfizer were all

00:39:41.840 --> 00:39:46.680
getting pretty frustrated with these botnets and rogue pharmacies, because these online pharmacies

00:39:46.680 --> 00:39:50.960
were selling fake Viagra, which Pfizer made, and at the time, there was no generic available,

00:39:50.960 --> 00:39:55.760
so Pfizer was losing a bunch of money from these botnets. But by this time, the botnet spamming

00:39:55.760 --> 00:40:00.280
empire and the Russian affiliate networks were all starting to show cracks in their operations.

00:40:00.280 --> 00:40:07.840
[MUSIC] The Waledac botnet was the first to fall. At 1.5 billion spam e-mails a day, Waledac was a

00:40:07.840 --> 00:40:15.520
big part of the pharma e-mail spam problem. Severa brought the online pharmacies an extra $438,000

00:40:15.520 --> 00:40:22.120
in revenue, and his cut from that was about $145,000. Software giant Microsoft was getting

00:40:22.120 --> 00:40:28.080
especially annoyed with Waledac. In December of 2009, they found 651 million e-mails going from

00:40:28.080 --> 00:40:33.640
Waledac through their customers’ Hotmail accounts alone. They decided to fight back; they realized

00:40:33.640 --> 00:40:38.360
to take down Waledac, they were going to have to do something pretty unusual. Successfully

00:40:38.360 --> 00:40:43.800
taking down a botnet is as much about tactics and strategy than anything else. Researchers need to

00:40:43.800 --> 00:40:48.840
bide their time, do their homework, and identify the botnet’s weakest points. Most of the time,

00:40:48.840 --> 00:40:52.680
that’s their C&C servers. It’s not a game of chess where authorities have to make a

00:40:52.680 --> 00:40:56.960
move or wait for the botmaster to make theirs. It’s the opposite, because the best attack is

00:40:56.960 --> 00:41:04.160
a coordinated worldwide sudden strike on multiple levels to cut the botnet away from the botmaster.

00:41:04.160 --> 00:41:09.040
By February 2010, Microsoft’s Digital Crimes Unit, their Malware Protection Center, and their

00:41:09.040 --> 00:41:14.680
Active Response to Security guys were building a takedown team to knock out Waledac. They had

00:41:14.680 --> 00:41:20.280
Symantec involved, experts from Shadowserver too, and there were security researchers involved from

00:41:20.280 --> 00:41:25.880
Universities of Washington, Mannheim, and the Technical University in Vienna. That’s a lot of

00:41:25.880 --> 00:41:31.600
people. Together, they would try to take down this Waledac botnet, and they codenamed this Operation

00:41:31.600 --> 00:41:39.640
b49. The team identified 277 domains that Waledac was using to operate its botnet. Their plan was

00:41:39.640 --> 00:41:45.080
to try to disconnect all of these domains at the same time, which would cut off all communication

00:41:45.080 --> 00:41:50.440
routes between the command and control servers and the bots. But it wasn’t going to be easy.

00:41:50.440 --> 00:41:54.440
Microsoft had their Senior Attorney for the Digital Crimes Unit, [MUSIC] Richard Boscovich,

00:41:54.440 --> 00:41:58.520
who was fully involved in this takedown attempt. Here’s a clip of him explaining why.

00:41:58.520 --> 00:42:02.080
RICHARD: The challenge we were facing is how do we go about stopping a botnet

00:42:02.080 --> 00:42:07.920
of this magnitude? In essence, how do we go about disconnecting all of the robot

00:42:07.920 --> 00:42:12.760
computers from the botherder? We looked at a traditional and well-established

00:42:12.760 --> 00:42:18.360
legal principle called the ex parte TRO. Ex parte meaning we don’t notice the other side,

00:42:18.360 --> 00:42:25.120
TRO meaning temporary restraining order. The reason why we chose the temp – the ex party TRO,

00:42:25.120 --> 00:42:30.320
because it was a crucial importance that when we went out to sever, to cut the connections

00:42:30.320 --> 00:42:36.040
between the botherder and his bots, had to be done without him knowing. So, it was imperative

00:42:36.040 --> 00:42:42.480
for the operation that we get the ex parte TRO before the botherder knew we were coming.

00:42:42.480 --> 00:42:47.040
JACK: Microsoft filed a lawsuit naming twenty-seven John Does as the orchestrators

00:42:47.040 --> 00:42:52.280
of Waledac, including the mysterious Severa. They wanted a restraining order on VeriSign,

00:42:52.280 --> 00:42:55.600
the company that oversees .com and .net domains,

00:42:55.600 --> 00:43:01.760
to force them to disconnect these 277 Waledac domains. VeriSign was hesitant though,

00:43:01.760 --> 00:43:05.440
which makes it sound like VeriSign was refusing to help, but it was more like

00:43:05.440 --> 00:43:10.420
they weren’t sure that they were able to help. Alex Lanstein from FireEye explains it here.

00:43:10.420 --> 00:43:15.680
ALEX: So, most of those domains existed inside the .com and .name space, and it’s not just that

00:43:15.680 --> 00:43:21.680
a registrar or registree – so, the way DNS works is you have registrees that are responsible for

00:43:21.680 --> 00:43:26.320
CCTLDs and GTLDs, and then you have registrars who essentially resell those. Sometimes you have

00:43:26.320 --> 00:43:29.760
a shared model, but it’s not that some of these registries – and in particular,

00:43:29.760 --> 00:43:35.840
this one was in the US – it’s not that they didn’t want to help out, but it’s that they weren’t

00:43:35.840 --> 00:43:40.480
exactly sure whether they had the legal authority to help out. This is sorta the – the coordinated

00:43:40.480 --> 00:43:50.720
takedown is sort of a new model that security and the ISP community are sort of working on. Yeah,

00:43:50.720 --> 00:43:54.800
and like what Julia was saying, in that case, the DNS infrastructure wasn’t going to be

00:43:54.800 --> 00:43:58.360
enough because they had some ISPs hardcoded, and you couldn’t just take out the domain

00:43:58.360 --> 00:44:03.840
names. But that’s the first, I think, legal mechanism that anyone’s used to take domains.

00:44:03.840 --> 00:44:08.160
JACK: This really hadn’t been done before. It was totally unprecedented, and no one was quite sure

00:44:08.160 --> 00:44:12.400
how the courts were going to respond to something like this. But the federal court in Alexandria,

00:44:12.400 --> 00:44:17.640
Virginia did grant the restraining order. VeriSign went ahead and cut off all the domains,

00:44:17.640 --> 00:44:23.440
and Waledac’s main botmaster Severa had no idea the strike was coming. When VeriSign disconnected

00:44:23.440 --> 00:44:28.760
the domains, the effect was immediate. The spam traffic fell massively. The number of

00:44:28.760 --> 00:44:35.160
bots dropped from 80,000 down to 20,000. Waledac was severely crippled, and with quick work by

00:44:35.160 --> 00:44:39.440
the takedown team, they were able to take over the domains which were required for Waledac to

00:44:39.440 --> 00:44:44.680
operate. Once those were taken over, the bot no longer could function, as no new commands

00:44:44.680 --> 00:44:51.880
could be issued to it, and it was successfully shut down. [MUSIC] Operation b49 was a success.

00:44:51.880 --> 00:44:57.080
CLIP: I think it is a landmark case in the sense that we’re able to finalize the case,

00:44:57.080 --> 00:45:03.240
close it out, so to speak, and we’re able to get the default judgement which we wanted. It’s the

00:45:03.240 --> 00:45:07.480
first time from both a technical perspective and a civil, legal perspective that we’ve

00:45:07.480 --> 00:45:12.960
been able to literally address and dismantle a botnet threat such as Waledac. The end game,

00:45:12.960 --> 00:45:17.200
of course, is with the default judgement, we will now own those domains. By doing so,

00:45:17.200 --> 00:45:21.280
we ensure that these domains will not be used for any criminal activities in the future,

00:45:21.280 --> 00:45:25.523
effectively eliminating them from the botherder’s control.

00:45:25.523 --> 00:45:30.680
CLIP2: One of the early criticisms was that Microsoft’s actions were from vigilantism

00:45:30.680 --> 00:45:34.760
and that they were supplanting federal law enforcement. In this case, it’s exactly the

00:45:34.760 --> 00:45:40.920
opposite. Our justice system is broken up into both civil and criminal processes, and Microsoft

00:45:40.920 --> 00:45:45.700
has every right to use civil, legal process to protect themselves and their customers from harm.

00:45:45.700 --> 00:45:50.720
CLIP3: The legal process which we used is a process now that I think

00:45:50.720 --> 00:45:53.080
any other particular company in the United States

00:45:53.080 --> 00:45:57.506
which has a vested interest and is able to meet the legal requirements could do.

00:45:57.506 --> 00:46:01.320
JACK: [MUSIC] The online pharmacies Glavmed and SpamIt were still going strong. The hacker

00:46:01.320 --> 00:46:05.240
Google with his Cutwail botnet was still one of their best affiliates. Pairing Cutwail with

00:46:05.240 --> 00:46:10.280
Pushdo was a good move by hacker Google. It had made it very hard to take Cutwail down,

00:46:10.280 --> 00:46:15.560
but that didn’t stop people from trying. This botnet, though, seemed to have nine lives. See,

00:46:15.560 --> 00:46:20.320
taking down Cutwail’s C&C servers would cut off Google’s ability to communicate with his bots,

00:46:20.320 --> 00:46:25.000
but he’d just activate new servers in replacement. Pushdo would just update what the IPs are for the

00:46:25.000 --> 00:46:30.600
C&C servers, and Cutwail would be fully alive and kicking again. Between 2008 and 2010,

00:46:30.600 --> 00:46:34.280
there were three attacks on the Cutwail botnet. In November 2008,

00:46:34.280 --> 00:46:40.480
when the McColo ISP got taken down, that had a massive impact on Cutwail. But Google recovered,

00:46:40.480 --> 00:46:46.080
and Cutwail got back its previous strengths. In early 2010, FireEye managed to get ahold of

00:46:46.080 --> 00:46:51.320
a handful of Cutwail’s C&C servers and knocked them out. But again, the drop in spam e-mails

00:46:51.320 --> 00:46:56.240
only lasted weeks before the numbers went back up again. The takedown that had the biggest impact

00:46:56.240 --> 00:47:01.120
on Cutwail was actually a little accidental. Thorsten Holz was the senior threat analyst

00:47:01.120 --> 00:47:06.640
at the US cyber security company Lastline, and assistant professor at a university in Germany.

00:47:06.640 --> 00:47:10.720
He and some colleagues were working on a research project in August 2010,

00:47:10.720 --> 00:47:16.080
examining botnets including Pushdo and Rustock. They were trying to match infected IP addresses

00:47:16.080 --> 00:47:20.040
with the botnets that were responsible. To properly do their research, they needed some

00:47:20.040 --> 00:47:25.080
C&C servers to be able to test an algorithm that they’d come up with. So, they decided to try to

00:47:25.080 --> 00:47:29.480
take down some of Pushdo’s C&C servers to get ahold of the data so they could do their part

00:47:29.480 --> 00:47:33.760
of their project. [MUSIC] They identified eight hosting providers that were hosting thirty of

00:47:33.760 --> 00:47:38.560
Pushdo’s C&C servers. They didn’t really set out to take down this botnet, and they really weren’t

00:47:38.560 --> 00:47:43.720
sure what their efforts with Pushdo servers could do to Cutwail. They sent out an abuse

00:47:43.720 --> 00:47:48.080
notification to these hosting providers with evidence that these servers had been used as

00:47:48.080 --> 00:47:53.760
command and control servers for botnets. 66% of the servers were located in Europe, with a

00:47:53.760 --> 00:47:59.600
couple hosted inside the US. Most of the providers responded by cutting off the servers, but a few

00:47:59.600 --> 00:48:04.640
just ignored the notifications completely. But the server disconnections did damage Cutwail.

00:48:04.640 --> 00:48:09.400
In fact, it stopped 80% of Cutwail’s e-mail spam overnight. Unfortunately though,

00:48:09.400 --> 00:48:14.560
it wouldn’t last. With Cutwail momentarily weakened, that only gave more opportunity for

00:48:14.560 --> 00:48:19.040
Rustock to climb up the spam botnet world. Cosma was bringing in decent money through

00:48:19.040 --> 00:48:24.280
Rustock and SpamIt, and he was holding his own as one of the top affiliates. By August 2010,

00:48:24.280 --> 00:48:29.400
Rustock was the most dominant pharma spamming botnet. But then some news broke that wasn’t

00:48:29.400 --> 00:48:35.560
taken very well by these spammer affiliates. [MUSIC] That month, Glavmed and SpamIt got hacked,

00:48:35.560 --> 00:48:40.640
and it was a huge breach. The hacker got the sales logs, customer figures, affiliate commissions,

00:48:40.640 --> 00:48:46.320
and revenue data. It was a database 9GB in size, with records going back to when both

00:48:46.320 --> 00:48:52.320
programs started in 2006. It all got released to security researchers and got passed into the hands

00:48:52.320 --> 00:48:59.000
of US law enforcement. Now, this was all a little weird. You remember Igor’s old company, ChronoPay,

00:48:59.000 --> 00:49:05.680
and that his rival Pavel was still running? Well, seven months earlier, that got hacked, too. Data

00:49:05.680 --> 00:49:11.360
for ChronoPay and RX-Promotion found its way online and into the hands of security analysts.

00:49:11.360 --> 00:49:15.280
Security journalist Brian Krebs from Krebs on Security was one of the people who got ahold

00:49:15.280 --> 00:49:20.000
of the Glavmed and SpamIt data. He’d been contacted months earlier by someone calling

00:49:20.000 --> 00:49:24.160
themselves ‘Despduck’, who said they had it all and they were going to release it. From

00:49:24.160 --> 00:49:28.360
what he could figure out, this all went back to that ongoing rivalry between Igor

00:49:28.360 --> 00:49:34.160
and Pavel. Krebs was quite convinced that this anonymous Despduck character was actually Pavel,

00:49:34.160 --> 00:49:38.720
and he was using this name as a dig to Igor, whose nickname was actually ‘Desp’. It seems

00:49:38.720 --> 00:49:43.160
like these two guys were so enraged with each other that they arranged hacks on one other and

00:49:43.160 --> 00:49:48.280
then force their data to be leaked to the world. It’s just crazy to me, because they

00:49:48.280 --> 00:49:53.040
were trying to destroy each other. This really wasn’t good news for the spammer affiliates;

00:49:53.040 --> 00:49:57.280
the data that was being leaked contained all kinds of details about the hacker and spammer

00:49:57.280 --> 00:50:01.320
activities, like how much they were earning and some pretty big clues as to what their

00:50:01.320 --> 00:50:05.920
real identities were. Here, have a listen to this. It’s Alex Lanstein from FireEye

00:50:05.920 --> 00:50:10.660
talking at BlackHat 2011 about this data leak and what it revealed about the top spammers.

00:50:10.660 --> 00:50:15.000
ALEX: So, they leaked the database of one of the competitors to Krebs. They’re like,

00:50:15.000 --> 00:50:21.400
oh yeah, here’s a bunch of data; go and blog about it. What he found was that the top three

00:50:21.400 --> 00:50:28.080
affiliates were all the same dude, so like, the top three money-earners for SpamIt all use the

00:50:28.080 --> 00:50:33.320
same WebMoney ID, and they were all the Rustock guy. So, he would register multiple affiliate

00:50:33.320 --> 00:50:40.360
accounts and managed to be the top one, two, and three affiliate for these huge spam campaigns

00:50:40.360 --> 00:50:43.840
and just make boatloads of money. But he didn’t want to be too big, or else everyone would get

00:50:43.840 --> 00:50:47.640
pissed at him. They’re like oh, who is that one username who registered multiple accounts

00:50:47.640 --> 00:50:52.220
on all these services and still be the top earners for all those different accounts?

00:50:52.220 --> 00:50:56.560
JACK: Everyone was interested in this data set. Getting raw data like this from the underground

00:50:56.560 --> 00:51:02.000
shady pharmacy operations? That doesn’t happen very often. Brian Krebs started researching

00:51:02.000 --> 00:51:06.600
this and started connecting real identities to some of these top spammers after digging around

00:51:06.600 --> 00:51:13.200
in this data. So, Cutwail’s botmaster, Google, Krebs identified him as a Russian spammer named

00:51:13.200 --> 00:51:18.360
Dmitry Nechvolod. He doesn’t stop there; from cross-referencing e-mail addresses on affiliate

00:51:18.360 --> 00:51:22.680
accounts with SpamIt and RX-Promotion, Krebs found the name for Cosma, too,

00:51:22.680 --> 00:51:29.080
Dmitri Sergeev. Damon McCoy and his colleagues at George Mason University, they got this data too,

00:51:29.080 --> 00:51:33.840
as well as the leaks from ChronoPay, and it formed the basis for their PharmaLeaks study.

00:51:33.840 --> 00:51:38.800
DAMON: As part of this, we have the back end database which includes order information,

00:51:38.800 --> 00:51:44.440
transactional information, a very rich set of information on the Glavmed-SpamIt programs,

00:51:44.440 --> 00:51:49.880
which are two of the larger online affiliate programs, according to when we did our analysis

00:51:49.880 --> 00:51:54.840
of spam and linked it back to the different pharmaceutical affiliate programs. We also have

00:51:54.840 --> 00:51:59.840
chat logs from the operators of the Glavmed-SpamIt program, which again gave us a lot of metadata and

00:51:59.840 --> 00:52:05.600
insight into how their business operates. We have a more restricted set of transactional information

00:52:05.600 --> 00:52:09.960
from the RX Promotion affiliate program. Again, an extremely major online affiliate

00:52:09.960 --> 00:52:17.120
program that’s constituted a large portion of spam while they were operating. We also have

00:52:17.120 --> 00:52:24.640
extremely fine-grained revenue and cost structure information from the RX Promotion data set.

00:52:24.640 --> 00:52:31.440
So, just a quick summary of this data; it incorposes over $185 million worth of revenue,

00:52:31.440 --> 00:52:40.880
of purchases. It encompasses over a million customers, over 1.5 million orders, and over 2,600

00:52:40.880 --> 00:52:48.080
affiliates. During our analysis of this data, we realized that Glavmed has often denied that

00:52:48.080 --> 00:52:53.560
they are the operators of SpamIt. However, by our analysis of the databases of Glavmed-SpamIt, we

00:52:53.560 --> 00:52:59.320
realized that SpamIt is just a fork of the Glavmed databases and that in fact, these two are operated

00:52:59.320 --> 00:53:07.360
by the same people. If you crunch the numbers, the Glavmed-SpamIt programs attract about 3,500 new

00:53:07.360 --> 00:53:14.826
customers per week, and the RX Promotions program attracts about 1,500 new customers per week.

00:53:14.826 --> 00:53:19.280
JACK: [MUSIC] On October 3, 2010, another weird thing happened; the global volume of spam being

00:53:19.280 --> 00:53:24.040
sent all of a sudden hit an all-time low. In fact, Rustock, the biggest spam botnet

00:53:24.040 --> 00:53:28.760
going on at the time, stopped sending spams completely for fourteen hours. It just stopped

00:53:28.760 --> 00:53:33.440
doing anything. Cutwail’s spam e-mails also dropped across the same day, but nowhere near

00:53:33.440 --> 00:53:38.720
as much as Rustock’s did. Bradley Anstis from M86 Security Labs gave a talk at the BlackHat

00:53:38.720 --> 00:53:43.520
conference in 2011 a few months after this happened, and here’s what he knew about it.

00:53:43.520 --> 00:53:47.360
BRADLEY: Certainly, SpamIt basically closed its doors overnight in September. Now,

00:53:47.360 --> 00:53:52.840
we’re not – still not quite sure why SpamIt closed. We can only guess what it might be,

00:53:52.840 --> 00:53:58.720
whether they just got embarrassed, got sick of seeing their name in the press all the time,

00:53:58.720 --> 00:54:03.040
their upstream, downstream customers started getting frustrated that they

00:54:03.040 --> 00:54:07.360
were continuously getting mentioned. Whatever the reason was, they got abducted by aliens,

00:54:07.360 --> 00:54:12.880
and you can see here the effect; the graph there on the left-hand side is the global spam volume.

00:54:12.880 --> 00:54:18.680
Now, we track this. You can see this all the time in our Labs website, and you can

00:54:18.680 --> 00:54:23.946
see the overnight impact in global spam volumes with the closure of just one affiliate program.

00:54:23.946 --> 00:54:28.680
JACK: [MUSIC] Igor and Dmitry Stupin had shut down SpamIt. They posted a message on the front page of

00:54:28.680 --> 00:54:32.960
the SpamIt affiliate website. It said the program was attracting too much attention from the wrong

00:54:32.960 --> 00:54:37.400
people. Igor had got word that the authorities were looking into him after the Glavmed data got

00:54:37.400 --> 00:54:43.240
leaked, so he was watching his back. SpamIt’s top affiliates went into a freefall. For Cosma,

00:54:43.240 --> 00:54:47.600
especially with Rustock, this was really bad for him. He canceled scheduled spam campaigns

00:54:47.600 --> 00:54:52.160
and left his bots sitting idle for further instructions. Cutwail took a big hit too,

00:54:52.160 --> 00:54:55.520
but Google had his bots sending out more than just pharma spam,

00:54:55.520 --> 00:55:00.960
so Cutwail did continue sending spam and earning affiliate commissions from other programs. Then,

00:55:00.960 --> 00:55:05.680
he was also getting good money from renting Cutwail out, too. On October 26,

00:55:05.680 --> 00:55:10.160
Igor’s apartment and offices in Moscow were searched by Russian federal authorities.

00:55:10.160 --> 00:55:14.880
Igor had fled the country already with his family, not hanging around to be arrested.

00:55:14.880 --> 00:55:19.360
Investigators found three laptops, seven hard drives, and a handful of flashcards. Later

00:55:19.360 --> 00:55:24.000
that day, the Internal Affairs Directorate of the Central District of Moscow announced the criminal

00:55:24.000 --> 00:55:29.560
investigation into Igor. They charged him with running Glavmed without registration and illegal

00:55:29.560 --> 00:55:34.440
entrepreneurship. Investigators added up how much they thought Glavmed made since it started

00:55:34.440 --> 00:55:42.600
in 2006, and they concluded the revenue was $120 million. Internal unrest and bitter rivalry had

00:55:42.600 --> 00:55:48.240
knocked out the spamming botnets who had been enjoying an easy ride off-course. But by 2011,

00:55:48.240 --> 00:55:52.960
they made a comeback, switching their affiliate alliance to the rogue online pharmacy programs.

00:55:52.960 --> 00:55:59.440
The Russian revenue from these pharmacies was estimated to be $142 million in just 2011 alone.

00:55:59.440 --> 00:56:04.840
The e-mail spam volumes had once again climbed back up to astonishing levels. The time had come

00:56:04.840 --> 00:56:09.240
once again to start taking these botnets out of operation, and it was Rustock’s turn to be

00:56:09.240 --> 00:56:14.400
in the firing line. The preparations to take down Rustock had begun nine months earlier,

00:56:14.400 --> 00:56:18.600
right as the online pharmacies started hacking each other and leaking each other’s data.

00:56:18.600 --> 00:56:23.000
Like with Waledac, Microsoft was once again leading the charge to take down Rustock, and they

00:56:23.000 --> 00:56:28.160
were coming in hard. Microsoft, FireEye Security, US law enforcement, and computer scientists from

00:56:28.160 --> 00:56:33.280
the University of Washington were all working together to take down the Rustock botnet. Pfizer

00:56:33.280 --> 00:56:37.480
also came on board. Rustock was pushing internet pharmacies that were ripping off their products,

00:56:37.480 --> 00:56:42.640
and they weren’t happy about it. Both Microsoft and FireEye had been tracking Rustock, quietly

00:56:42.640 --> 00:56:47.840
collecting data on how it’s operated, and its preparations to destroy it. FireEye figured out

00:56:47.840 --> 00:56:53.480
which of Rustock’s ninety-six C&C servers were acting as the primary server. They identified

00:56:53.480 --> 00:56:58.200
twenty-six to put in their target list. Most of these servers were located within the US,

00:56:58.200 --> 00:57:03.240
sitting in legitimate ISPs, oblivious to what they were really doing. Julia Wolf and Alex

00:57:03.240 --> 00:57:09.160
Lanstein from FireEye talk about how Rustock laid out its C&C servers in their BlackHat 2011 talk.

00:57:09.160 --> 00:57:15.480
ALEX: All of the C&Cs for Rustock were – all but two of them were host – actually

00:57:15.480 --> 00:57:19.700
hosted within the United States, and the other two were hosted in Amsterdam.

00:57:19.700 --> 00:57:25.120
CLIP4: So, they bought a bunch of servers in Scranton and used that as a big command and

00:57:25.120 --> 00:57:29.080
control point, and they bought a bunch of servers in Kansas City. These places that

00:57:29.080 --> 00:57:34.720
– nothing wrong with Scranton, Pennsylvania, but it’s not just that it’s not suspicious,

00:57:34.720 --> 00:57:39.920
it makes you think that it’s completely legit. If you see traffic going to Scranton, you’re like,

00:57:39.920 --> 00:57:44.680
yeah, that’s probably legit. Like, what bad could possibly be going on there? The Microsoft

00:57:44.680 --> 00:57:51.720
DCU guys, they have this whole department that’s basically set up to bring the hurt to bad guys,

00:57:51.720 --> 00:57:58.600
and they kind of approached us and they said what do you think – not just would be able to

00:57:58.600 --> 00:58:07.360
be taken down, but is causing a lot of harm to our customers? From where we stand, we make a product

00:58:07.360 --> 00:58:14.840
that detects malware. Rustock was like, the – not just the most prevalent, but it was causing a very

00:58:14.840 --> 00:58:18.480
easily-measurable amount of harm on the internet. So, they came to us and they said, you know,

00:58:18.480 --> 00:58:25.360
what do you think? Is Rustock something that you could help us with? We said yeah, absolutely. So,

00:58:25.360 --> 00:58:31.000
they said what do you think you could provide us some intel on that would help us, you know,

00:58:31.000 --> 00:58:37.320
both validate what they were seeing and from a third-party security company perspective,

00:58:37.320 --> 00:58:42.120
just basically give us your input. So, we put together a set of monitoring tools where we

00:58:42.120 --> 00:58:45.880
were feeding them all the command and control servers that we were seeing on a daily basis.

00:58:45.880 --> 00:58:50.240
JACK: So, there were a lot of Rustock C&C servers that kept this botnet running. To

00:58:50.240 --> 00:58:54.320
stop it, they needed to shut down those servers and seize them. This

00:58:54.320 --> 00:58:58.920
was so they could be examined forensically for analysis and to provide evidence. Plus,

00:58:58.920 --> 00:59:03.200
if the servers got seized, it would be very hard for that botnet to be reactivated again

00:59:03.200 --> 00:59:07.440
later. Here’s some more on what the plan was behind physically seizing the servers.

00:59:07.440 --> 00:59:12.120
CLIP4: They didn’t seize the servers as any sort of punitive damages. They were granted temporary

00:59:12.120 --> 00:59:16.040
access to the servers to get any sort of forensic detail that might exist on them

00:59:16.040 --> 00:59:22.120
so that they can go after the bad guy, right? That’s still ongoing, but certainly if a bad

00:59:22.120 --> 00:59:26.120
guy doesn’t think – or he thinks the servers are pretty bulletproof – and these were up for like,

00:59:26.120 --> 00:59:31.960
a year and a half, so there’s a reasonable chance that he thought that he was pretty well-protected,

00:59:31.960 --> 00:59:37.280
so he might have made a mistake such as connecting directly to it, like SSHing right to the server,

00:59:37.280 --> 00:59:41.760
or leaving things on it, like leaving a code base. Maybe he’s compiling something, leaving

00:59:41.760 --> 00:59:47.280
code artifacts, leaving things inside the actual – the server side of the command and control that’s

00:59:47.280 --> 00:59:52.800
never meant to be seen by a person. You never see that. So, that was the idea in going after

00:59:52.800 --> 00:59:57.560
the hard drives, and then obviously just kind of a shot across the bow to the criminal himself.

00:59:57.560 --> 01:00:02.040
JACK: The problem with this though, is that not all ISPs owned all the equipment they used. So,

01:00:02.040 --> 01:00:06.840
it was really complicated to get authorities to seize equipment. So, there was only one option;

01:00:06.840 --> 01:00:10.960
Microsoft used the same tactics to hit Rustock as they did with Waledac earlier

01:00:10.960 --> 01:00:15.560
that year. [MUSIC] Microsoft filed a lawsuit at the US District Court in the Western District of

01:00:15.560 --> 01:00:20.600
Washington. It named eleven John Does as the operator of Rustock, who they thought were

01:00:20.600 --> 01:00:25.600
involved with Cosma. Rustock was sending a lot of its spam e-mails through Hotmail accounts,

01:00:25.600 --> 01:00:29.680
and they were sending e-mails claiming to be from Microsoft or Pfizer. On top of that,

01:00:29.680 --> 01:00:34.000
Rustock enabled a heap of users’ remote access to Windows clients so the infected

01:00:34.000 --> 01:00:39.000
machines could talk to each other and the core C&C servers. But, you can’t do that because that

01:00:39.000 --> 01:00:43.480
goes against Microsoft’s licence agreement. So, the legal team at Microsoft actually used

01:00:43.480 --> 01:00:48.360
a clause in their Trademark Act to give them a legal basis to help with this takedown.

01:00:48.360 --> 01:00:55.480
CLIP5: Anyway, so, legal council at Microsoft. Richard Boscovich came up with this great idea

01:00:55.480 --> 01:01:02.960
for how to do this, and there’s a – there’s an interesting clause in the Lanham Trademark Act

01:01:02.960 --> 01:01:11.680
that basically allows anyone who owns a trademark to seize counterfeit goods. So basically,

01:01:11.680 --> 01:01:20.240
the legal argument that was made was that these C&C servers had spam templates that claimed to

01:01:20.240 --> 01:01:28.920
be from Microsoft or from Pfizer, selling Viagra or whatever, and that’s trademark infringement.

01:01:28.920 --> 01:01:34.160
They’re selling counterfeit Viagra and whatnot and stuff like that. So basically, it’s under

01:01:34.160 --> 01:01:41.720
the jurisdiction of this Trademark Act, and all of the C&Cs are also within the US jurisdiction,

01:01:41.720 --> 01:01:48.240
so this still applies. There was a lot of victims in the US also, and so basically, the

01:01:48.240 --> 01:01:58.000
jurisdictional requirements have been satisfied as well. The actual request that Microsoft made

01:01:58.000 --> 01:02:03.280
is kinda written like this; basically it says all your servers are belong to us, kind of.

01:02:03.280 --> 01:02:07.600
JACK: That lawsuit had a solid case, and it worked; their requests were granted. So,

01:02:07.600 --> 01:02:12.360
now it was just a matter of getting in and taking down the Rustock servers. [MUSIC] On March 16,

01:02:12.360 --> 01:02:18.560
2011, Operation b107 was launched. Twenty-six individual Rustock C&C servers from five

01:02:18.560 --> 01:02:23.160
different hosting providers were seized by US Marshals at exactly the same time across

01:02:23.160 --> 01:02:27.480
seven cities in the US; Denver, Dallas, Chicago, Kansas City, Scranton, Seattle,

01:02:27.480 --> 01:02:32.640
and Columbus. There were two servers outside the US that were seized. One was in the Netherlands

01:02:32.640 --> 01:02:36.800
and taken down by the Dutch High Tech Crime Unit, and the other was in China. Rustock

01:02:36.800 --> 01:02:40.640
domains registered there were blocked with the help of the Chinese cyber security technical

01:02:40.640 --> 01:02:48.720
center known as CNCERT/CC. Cosma, Rustock’s main botmaster, had no time to respond. All around him,

01:02:48.720 --> 01:02:53.720
server after server was going down. Now all the infected machines that made up the Rustock botnet

01:02:53.720 --> 01:02:58.240
suddenly faced silence from the controlling master. The security community witnessed a

01:02:58.240 --> 01:03:03.160
sudden drop in spam traffic coming from Rustock, but they had no idea why it happened. Here’s

01:03:03.160 --> 01:03:08.063
Richard Cox, the Chief information Officer for Spamhaus, talking about when they found out.

01:03:08.063 --> 01:03:13.080
RICHARD: [MUSIC] One day, we suddenly saw the botnet Rustock disappear from the world

01:03:13.080 --> 01:03:17.760
stage. Our first thoughts were our equipment was faulty. I thought we’ve never seen that

01:03:17.760 --> 01:03:23.320
before. But some cross-checking proved that in fact it wasn’t the equipment was faulty;

01:03:23.320 --> 01:03:29.680
the spam coming from the Rustock botnet suddenly went silent. Silent, that is,

01:03:29.680 --> 01:03:35.360
until the silence to be somewhat shattered by shouts of joy worldwide as people realized that

01:03:35.360 --> 01:03:39.760
the most significant source of spam on the planet had suddenly ceased spamming.

01:03:39.760 --> 01:03:43.600
JACK: After the takedown, Microsoft made sure to sinkhole Rustock’s main

01:03:43.600 --> 01:03:47.640
C&C server IP addresses. Basically, they were intercepting the traffic going to

01:03:47.640 --> 01:03:51.600
these servers and redirecting it to their own. This way, they can start to identify

01:03:51.600 --> 01:03:56.280
machines infected with Rustock. Within three months of Operation b107 starting,

01:03:56.280 --> 01:04:01.280
the million or so Rustock infected botnets had dropped to around 500,000. Computer users were

01:04:01.280 --> 01:04:06.120
slowly claiming their machines back under their control. The hunt for Cosma and those who helped

01:04:06.120 --> 01:04:11.720
him with Rustock was still on. Microsoft offered a $250,000 reward for information

01:04:11.720 --> 01:04:17.840
leading the to arrest and conviction of Cosma, but that reward still stands. Cosma still is on the

01:04:17.840 --> 01:04:22.825
loose. He hasn’t been tracked down. Microsoft’s legal team though, are still looking for him.

01:04:22.825 --> 01:04:28.120
LEGAL: [MUSIC] We’re not gonna stop until the people behind these botnets

01:04:28.120 --> 01:04:31.960
that are affecting our customers and are impacting our platform

01:04:31.960 --> 01:04:36.980
get the message that if you target our platform, we will target you.

01:04:36.980 --> 01:04:40.760
JACK: Now, one thing I haven’t really talked much about yet is the botmasters’

01:04:40.760 --> 01:04:45.560
real identities. The data leaked from Glavmed, SpamIt, and RX-Promotions did give some clues,

01:04:45.560 --> 01:04:50.680
because there was a ton of chat logs on that server, but it’s hard to know for sure. But we do

01:04:50.680 --> 01:04:56.360
know who Severa was, the botmaster behind Waledac. [MUSIC] We know who he is because authorities have

01:04:56.360 --> 01:05:02.240
confirmed he’s a long-time Russian hacker and a spammer called Peter Levashov, sometimes known as

01:05:02.240 --> 01:05:07.600
Peter Severa. He was not just behind the Waledac botnet either, but the earlier Storm botnet,

01:05:07.600 --> 01:05:11.880
too, and he was the one who created the Kelihos botnet. That was a massive spamming machine that

01:05:11.880 --> 01:05:17.120
stole credentials and installed malware for years before Peter was caught and that botnet was shut

01:05:17.120 --> 01:05:22.400
down. So, where does that leave us today? Well, the rogue online pharmacies and the spamming

01:05:22.400 --> 01:05:28.000
botnets that promote them are ongoing problems even today. Waledac and Rustock are gone, but

01:05:28.000 --> 01:05:32.720
Cutwail is still going with different versions, and it’s still paired up with the Pushdo Trojan.

01:05:32.720 --> 01:05:38.520
It’s just a really persistent botnet. Both Google and Cosma have not yet been found or arrested.

01:05:38.520 --> 01:05:43.840
Microsoft still has a $250,000 reward for information leading to the arrest of Cosma,

01:05:43.840 --> 01:05:48.920
the guy who created the Rustock botnet. Igor Vishnevsky, the guy who helped Google set up

01:05:48.920 --> 01:05:54.120
Cutwail? He seems to be in the wind, too. SpamIt, the favourite Russian affiliate network, yeah,

01:05:54.120 --> 01:05:59.400
it’s shut down. Glavmed though, and RX-Partners, are still active and selling their knock-off meds.

01:05:59.400 --> 01:06:03.320
I don’t know who’s running them, though. Igor, the guy who helped create Glavmed and SpamIt,

01:06:03.320 --> 01:06:07.440
is still on the run, hiding out somewhere, so maybe Dmitry Stupin is still running it,

01:06:07.440 --> 01:06:13.880
since he helped Igor set it up. Yuri still might be running RX-Partners, I don’t know. Or maybe

01:06:13.880 --> 01:06:18.440
they’ve passed it on to some other people at this point. The FDA sent both of the online pharmacies

01:06:18.440 --> 01:06:23.240
warning letters that they were violating the Food, Drug, and Cosmetic Act in the last few years,

01:06:23.240 --> 01:06:28.000
but haven’t been able to stop them from operating. Glavmed got a serious warning;

01:06:28.000 --> 01:06:31.520
apparently some of the drugs they were selling contained ingredients that gave people serious

01:06:31.520 --> 01:06:36.320
side effects which could be fatal, which doesn’t surprise me. When you ingest medicine from a

01:06:36.320 --> 01:06:40.920
fake online pharmacy, who knows what you’re putting in your body. Rx-Partners just this

01:06:40.920 --> 01:06:45.040
year had been trying to cash in on the COVID pandemic. Some of their websites

01:06:45.040 --> 01:06:49.720
were found offering prescription-only drugs they claimed to be treatments for the virus.

01:06:49.720 --> 01:06:54.120
The sell was a heap of false information about COVID to play on people’s fear and to push them

01:06:54.120 --> 01:06:59.680
in to buy out of hope and desperation. Preying on sick people with no actual solution to their

01:06:59.680 --> 01:07:06.000
illness, ugh, what scoundrels. Their goal was money, plain and simple, and they were happy

01:07:06.000 --> 01:07:12.080
to exploit the most vulnerable people to get as much of it as they could. Igor and Pavel

01:07:12.080 --> 01:07:17.040
basically destroyed each other with their rivalry and feuding, which was good for getting rid of

01:07:17.040 --> 01:07:21.400
some the dodgy online pharmacy partnerships that were going on. Pavel, the guy who helped

01:07:21.400 --> 01:07:27.320
start ChronoPay, used some botnets to attack a ChronoPay rival in 2013. After he did that,

01:07:27.320 --> 01:07:33.360
he was caught and arrested, and spent a year in prison. These rogue online pharmacies are just

01:07:33.360 --> 01:07:38.640
mega-dangerous. If you’re gonna order your meds online, make sure to check the pharmacy first.

01:07:38.640 --> 01:07:43.040
Make sure the medicine is real and from a trusted source. You don’t want to put junk into your body

01:07:43.040 --> 01:07:48.200
that isn’t regulated or safe. The spamming botnets and botmasters are gonna keep going as long as

01:07:48.200 --> 01:07:53.360
this thing makes money, which makes this a game of Cat and Mouse that seems neverending. But the

01:07:53.360 --> 01:08:06.657
good guys are fighting back, and they’ll keep fighting back until the bad guys are all gone.

01:08:06.657 --> 01:08:09.920
(OUTRO): [OUTRO MUSIC] If you like this show, you’re gonna love the Darknet Diaries shop.

01:08:09.920 --> 01:08:14.800
There are over fifty original, unique t-shirt designs. You’ve got to check out this artwork;

01:08:14.800 --> 01:08:17.720
people are loving it, and I’m sure you’re gonna find a design that you’ll love,

01:08:17.720 --> 01:08:24.280
too. Visit shop.darknetdiaries.com. This show is made by me, your friendly firewall admin,

01:08:24.280 --> 01:08:27.280
Jack Rhysider. This episode was written by the crime traveler,

01:08:27.280 --> 01:08:31.160
Fiona Guy. Sound design and original music was by Garrett Tiedemann, who makes some

01:08:31.160 --> 01:08:35.560
really cool music that you should check out. Go to cynarpictures.com and click the music to

01:08:35.560 --> 01:08:42.840
hear it. That’s C-Y-N-A-R pictures.com. Editing help this episode by the cat-herder, Damienne,

01:08:42.840 --> 01:08:47.440
and our theme music is by the beet farmer, Breakmaster Cylinder. Even though I think

01:08:47.440 --> 01:08:53.800
a rubber mallet is a perfectly good hardware troubleshooting tool, this is Darknet Diaries.