http://www.wired.com/politics/security/news/2007/09/pfizerspam By Ryan Singel Wired.com 09.06.07 Computers inside pharmaceutical giant Pfizer's network are spamming the internet with e-mails touting the company's flagship erectile-enhancement drug Viagra, along with ads for knockoff Rolexes and shady junk stocks. But the e-mails are not part of Pfizer's official marketing efforts. Pfizer's computers appear to have been infected with malware that has transformed them into zombie computers sending spam at the behest of a hacker. Oddly enough, they are spamming the public's inboxes with ads for the company's own product. "There is a disaster inside this company, and they don't know it," says Rick Wesson, CEO of Support Intelligence -- a small San Francisco-based security company that alerted Wired News to the problem. Wesson says Pfizer computers have been spamming inboxes for the last six months and that he's kept 600 spam messages sent from company computers. He says 138 different Pfizer IP addresses have been blacklisted by various groups, but adds that he can't estimate the number of infected machines without more information or installing monitoring equipment on the edge of Pfizer's networks. To illustrate what might be going on, Wesson says that when his company found a similar situation at an international shipping company that employs about 150,000 people, that company's subsequent audit found 2,500 infected computers. Support Intelligence claims to have found similar spam bots at Bank of America and Toshiba. However, Pfizer appears to be unaware of the situation, despite several warnings from Support Intelligence. "If they (were aware), they would have taken care of the problem," Wesson says. Much of the spam originating from Pfizer's machines pretends to be sent from Gmail accounts, says Wesson. Products hocked include penis-enlargement products with the names "Mandik" and "Manster," as well as pharmaceuticals like Viagra, the sleep drug Ambien and the sedative Valium. The spam also includes ads for Cialis, a Viagra competitor made by Eli Lilly. On Tuesday morning between 7 a.m. and 10 a.m., Pfizer's network sent at least 20 messages about sex and penises, according to Wesson. The number of infected machines is impossible to determine, because much of the traffic comes from behind a firewall that obscures the machines' internal IP addresses. Support Intelligence tracks spam by monitoring inboxes at 250,000 website domains that it owns -- opening those to allow any and all e-mail and tracking what they get. It also monitors communications to and from command-and-control centers, the computers hackers use to give instructions to a network of zombie computers known as a botnet. Paul Ferguson works to fight botnets as a network architect for security giant Trend Micro. He says Support Intelligence does "great work" and acts responsibly in disclosing security problems. "They harvest valuable intelligence and share it with the security community," Ferguson says. "They also do 'due diligence' showing that even large corporations are subject to security problems, and only do so when they exhaust other attempts at communicating to them that they have a problem." Support Intelligence says they've seen connections between botnet controllers and computers inside Pfizer's network. "Pfizer sticks out like a glaring downed jet in a haystack," Wesson says. "They constantly send us the most egregious spam. When there is this much smoke, there is a hell of a fire going on." Pfizer did not respond to requests for comments. The flood of spam adds to Pfizer's recent computer security woes. This summer, the company revealed that it had suffered three breaches of sensitive data, cumulatively affecting more than 50,000 individuals. In one breach, a Pfizer employee exposed personal information on 17,000 employees after installing peer-to-peer software on a laptop. In another breach, confirmed Tuesday, a former employee downloaded sensitive data, including social security numbers and credit-card information for about 34,000 Pfizer employees. Wesson says Support Intelligence has warned Pfizer numerous times that its computers were infected. In March, Support Intelligence chief operating officer Adam Waters penned a report about Pfizer's infection, telling the company "an alarming amount of bot spam has been observed exiting the Pfizer network indicating multiple system infections." The report included detailed information about which machines were sending the rogue e-mails. Though the report was sent to the company at the end of March, none of the identified problems has been fixed, according to Waters and Wesson. Support Intelligence has also informed Pfizer of the problem during sales calls, where the security company unsuccessfully tried to sell the company network-cleansing-and-monitoring service. There's no consensus estimate of the number of zombie botnet machines on the internet, but computer-security experts agree that millions of PCs are likely to be infected. Hackers use the computers for numerous nefarious purposes, from sending spam to extorting money from businesses through denial-of-service attacks. The malicious power of botnets was displayed in April when Russian attackers launched sustained denial-of-service attacks against thousands of government and commercial websites in the small European republic of Estonia, to retaliate for Estonia's relocation of a World War II memorial statue of a Soviet soldier. Hackers build botnets by infesting computers through booby-trapped web pages and spam infested with attachments or worms that travel from computer to computer. Most computer users have no idea they are infected, because the remotely controlled malware often uses a small fraction of the infected machine's computing power and has no effect on day-to-day computer usage. To fight this, savvy users often share tips and tricks for protecting personal computers. ____________________________________ Visit the InfoSec News Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Sep 07 2007 - 03:26:33 PDT