Spyware Warrior :: View topic - Ordering pharma from Leo....

Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances

FAQ :: Search :: Memberlist :: Usergroups :: Register

Profile :: Log in to check your private messages :: Log in

Ordering pharma from Leo....

Spyware Warrior Forum Index -> Spam

View previous topic :: View next topic

Author

Message

olliver
Expert Developer

Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

Posted: Sun Aug 19, 2007 11:12 am Post subject: Ordering pharma from Leo....

After having spent some time pushing his flavour of "Canadian Pharmacy" Leo Kuvayev returned to his better known fake pharma brand "Your Online Pharmacy". Perhaps the admittedly attractive looking model posing as doctor is a more effective bait for victims than the dull Canadian Sugar Maple emblem used in the other shop Wink

. Anyway, Spamtrackers have more details about this operation.

Headers:

Quote:

Return-Path: <rhonda@unina.it>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 19 Aug 2007 17:03:05 -0000
Received: from 83-20-113.netrun.cytanet.com.cy (HELO cytanet.com.cy) [83.168.20.113]
by mx0.gmx.net (mx057) with SMTP; 19 Aug 2007 19:03:05 +0200
Message-ID: <000801c7e282$c966c590$c0a80020@rhonda>
From: "marve kan-lee" <rhonda@unina.it>
TO: <spamtrapt>
Subject: Buy cheap meds of the best quality in our shop
Date: Sun, 19 Aug 2007 15:18:21 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MSMail-Priority: Normal
X-Mailer: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022
X-MimeOLE: Produced By Microsoft MimeOLE V

The sender is already listed by UCEprotect and a bunch of lesser known blocklists and given the spamvertised target it seems likely that it's a zombified Windows machine spewing that rubbish.

Mail body:

Quote:

We are delighted to welcome you at our shop
Here you can find solutions to all you problems!
We will help you to avoid sexual frustration, anxiety and other problems that spoil your life.
Our costs are the lowest, our meds are the best
We are the first among all the chemists shop as we propose the medical goods of the best quality for cheap! !
For you, dear Client, we organize the special pricing action so we are ready to resolve all your difficulties almost for free!

http://f.entryrxshop.com/

Bye =)

Of course Leo would not be Leo if his rx domain weren't hosted via a b0tnet:

Quote:

[olliver@bunkiten ~]$ host f.entryrxshop.com
f.entryrxshop.com has address 69.182.218.207
f.entryrxshop.com has address 74.100.205.40
f.entryrxshop.com has address 83.81.67.107
f.entryrxshop.com has address 122.123.192.225
f.entryrxshop.com has address 210.6.103.8
f.entryrxshop.com has address 24.152.128.81
f.entryrxshop.com has address 61.93.177.215
f.entryrxshop.com has address 61.238.9.160
f.entryrxshop.com has address 67.168.29.116
f.entryrxshop.com has address 68.93.90.36

DNS trace shows the typical Kuvayev signs:

Quote:

entryrxshop.com. 172800 IN NS ns0.priokoliondedsa.com.
entryrxshop.com. 172800 IN NS ns0.ptrinmasedinca.com.
entryrxshop.com. 172800 IN NS ns0.pumationdesun.com.
entryrxshop.com. 172800 IN NS ns0.puntunhdefunterun.com.
;; Received 232 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 187 ms

entryrxshop.com. 300 IN NS ns0.ptrinmasedinca.com.
entryrxshop.com. 300 IN NS ns0.priokoliondedsa.com.
entryrxshop.com. 300 IN NS ns0.puntunhdefunterun.com.
entryrxshop.com. 300 IN NS ns0.pumationdesun.com.
;; Received 819 bytes from 74.103.60.156#53(ns0.priokoliondedsa.com) in 158 ms

Note the short TTL of 5 minutes which is characteristic for fastflux botnets. ns0.priokoliondedsa.com also resolves the following domains:
20pills.com
puntunhdefunterun.com
rxnic.com
aztxobzipyijon.com
rxshopworld.com
eedrug.com
guihgzybira.com

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.

Chao284
Warrior

Joined: 06 Sep 2004
Last Visit: 06 Aug 2011
Posts: 220
Location: Bremerton, WA

Posted: Sun Aug 19, 2007 11:06 pm Post subject: Re: Ordering pharma from Leo....

a notepet wrote:

. Anyway, Spamtrackers have more details about this operation.
Olliver

Yes the same kind I am getting, not to mention you can only used advanced/Brute-Forced lookups to find who he really is, knowing it will just lead to another botnet and not the real thing,

And yes the rxshopworld.com thing did turn up in one of my spams recently, and that tells me Leo Kuvayev is invencible and unstoppable to say the least.

and I still figure his spam will progressively get worse knowing the "postcard" trojan is currently going around.

olliver
Expert Developer

Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

Posted: Mon Aug 20, 2007 10:51 am Post subject: Re: Ordering pharma from Leo....

Chao284 wrote:

[Leo Spam]

Yes the same kind I am getting, not to mention you can only used advanced/Brute-Forced lookups to find who he really is, knowing it will just lead to another botnet and not the real thing,

I don't know what you mean with "advanced/brute-force" lookups, but perhaps my DNS knowledge is deficient. The number of records you can receive from a DNS server is merely determined by the access rights that are granted to you by the admin. In order to get to the actual backend server you need to analyse the traffic of one of the b0tted PCs, because technically they work as reverse proxy for the actual site. More info:
http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#143
http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#164

Quote:

And yes the rxshopworld.com thing did turn up in one of my spams recently, and that tells me Leo Kuvayev is invencible and unstoppable to say the least.

If Kuvayev were shot, stabbed, poisoned, hanged, beheaded, drowned, tarred and feathered, crushed by a 75 tons concrete block or accidentally hit by a lorry, my current spamload would probably drop by appr. 50-80% (depending on the mail account). But then again my spamload is hardly representative for other people's.

Quote:

and I still figure his spam will progressively get worse knowing the "postcard" trojan is currently going around.

As written in the other thread, there's no known connection between Kuvayev and Zhelatin. Warezov, however, seems to be connected with him:
http://www.google.com/search?q=warezov+kuvayev

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.

suzi
Site Admin

Joined: 27 Jul 2003
Last Visit: 21 May 2013
Posts: 10271
Location: sunny California

Posted: Mon Aug 20, 2007 11:58 am Post subject:

Wow, there's some really interesting info in the Google search results there. Now I know who is behind about 70% of my spam. _________________ Former Microsoft MVP 2005-2009, Consumer Security Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

suzi
Site Admin

Joined: 27 Jul 2003
Last Visit: 21 May 2013
Posts: 10271
Location: sunny California

Posted: Mon Aug 20, 2007 6:17 pm Post subject:

Here's one I got today. Olliver, I'd be interested in your analysis of this if you don't mind.

Code:

Received: from unknown (HELO 145088744) (220.225.234.179)
by <redacted> with ESMTP; 20 Aug 2007 10:35:51 -0000
X-Originating-IP: 220.225.234.179
Received-SPF: error (<redacted>: error in processing during lookup of globalsportsmktg.com: DNS problem)
identity=mailfrom; client-ip=220.225.234.179;
envelope-from=<reunited.r@globalsportsmktg.com>;
Received: from globalsportsmktg.com (146983848 [145562728])
by goldonesty.com (Qmailv1) with ESMTP id C4B023406D
for <redacted>; Mon, 20 Aug 2007 10:35:52 +0000
Date: Mon, 20 Aug 2007 10:35:52 +0000
From: "Tunis C. Humanitarian" <reunited.r@globalsportsmktg.com>
X-Mailer: The Bat! (v2.00.2) Personal
X-Priority: 3
Message-ID: <3478673623.20070820103552@globalsportsmktg.com>
To: Suzi <redacted>
Subject: The Pharmacy America Trusts
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------3DA71C539995CDF"
X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6

This is a multi-part message in MIME format.

------------3DA71C539995CDF
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Onlinemeds Store Founded in 1989, Onlinemeds is not only the nation's largest retail pharmacy chain, it is considered the leader in innovative drugstore retailing. Onlinemeds pioneered many modern store and pharmacy features, some of which have become standards in the industry.

We provide the most convenient access to healthcare services and consumer goods in America.

Some price-list examples:
<redacted>

Visit our site and use only high quality drugs with Onlinemeds!

------------3DA71C539995CDF
Content-Type: text/html
Content-Transfer-Encoding: 7bit

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
Onlinemeds Store Founded in 1989, Onlinemeds is not only the nation's largest retail pharmacy chain, it is considered the leader in innovative drugstore retailing. Onlinemeds pioneered many modern store and pharmacy features, some of which have become standards in the industry.
We provide the most convenient access to healthcare services and consumer goods in America.
Some examples from the price-list:<a href="http://sethnw.cn/?IJEMEOQkdJXXVCQkpDVENXRFVHQ1tcRhtSXV4="> </a>
 

Cialis Soft Tabs - $5.78 
spam Professional - $4.07 
spam Soft Tabs - $4.1 
Cialis - $5.67 
Valium - $2.89 
Generic spam - $3 
spam - $2.85 
spam - $1.38 
Human Growth Hormone - $43.37 
Meridia - $3.32 
spam - $2.17 
Levitra - $11.97
<a href="http://sethnw.cn/?EILJSMQkdJXXVCQkpDVENXRFVHQ1tcRhtSXV4=">Visit our site and use only high quality drugs with Onlinemeds!</a>
 
 
<img src="http://sethnw.cn/EKFEUFQkdJXXVCQkpDVENXRFVHQ1tcRhtSXV4=/1.gif" border="0" width="1" height="1">
</body>
</html>

------------3DA71C539995CDF--

_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile

olliver
Expert Developer

Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

Posted: Tue Aug 21, 2007 3:54 am Post subject:

suzi wrote:

Here's one I got today. Olliver, I'd be interested in your analysis of this if you don't mind.

Ok, here we go again Wink

Quote:

As usual I marked the sender in bold, 220.225.234.179 is already widely blocklisted and marked as vulnerable/exploitable server by SORBS. Whois shows it is located in India

Quote:

inetnum: 220.224.0.0 - 220.227.255.255
netname: RelianceInfocomm
descr: Reliance Infocom Ltd
country: IN
admin-c: BN96-AP
tech-c: SC1210-AP
tech-c: CL1307-AP
status: ALLOCATED PORTABLE
notify: Antiabuse.support at relianceada.com
notify: ISM.Helpdesk at relianceada.com
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-SN
changed: hm-changed at apnic.net 20040301
changed: hm-changed at apnic.net 20060208
changed: hm-changed at apnic.net 20060404
changed: hm-changed at apnic.net 20070724
source: APNIC

I tried fetching an SMTP banner but the machine is refusing connections to port 25.

The domain sethnw.cn is botnet hosted:

Quote:

$ host sethnw.cn
sethnw.cn has address 124.244.196.54
sethnw.cn has address 24.152.128.81
sethnw.cn has address 58.177.32.43
sethnw.cn has address 61.93.111.120
sethnw.cn has address 61.244.119.112
sethnw.cn has address 67.168.29.116
sethnw.cn has address 68.46.89.97
sethnw.cn has address 71.228.166.144
sethnw.cn has address 74.100.205.40
sethnw.cn has address 124.244.73.161

And its name servers use the naming convention of Leo Kuvayev:

Quote:

$ host -t ns sethnw.cn
sethnw.cn name server ns0.puntunhdefunterun.com.
sethnw.cn name server ns0.priokoliondedsa.com.
sethnw.cn name server ns0.pumationdesun.com.
sethnw.cn name server ns0.ptrinmasedinca.com.

sethnw.cn isn't the final destination, however: It redirects to aztxobzipyijon.com which displays a well known shop with a familiar looking model posing as doctor Wink

: Yep, it's once again Leo's Your Online Pharmacy brand.

Name servers currently resolve the following domains also:
20pills.com
puntunhdefunterun.com
rxnic.com
aztxobzipyijon.com
rxshopworld.com
eedrug.com
guihgzybira.com

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.

suzi
Site Admin

Joined: 27 Jul 2003
Last Visit: 21 May 2013
Posts: 10271
Location: sunny California

Posted: Tue Aug 21, 2007 8:21 am Post subject:

Quote:

Yep, it's once again Leo's Your Online Pharmacy brand.

That's what I suspected. Thanks for the rundown.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile

Display posts from previous:

	Spyware Warrior Forum Index -> Spam	All times are GMT - 8 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum