What Happened to Blue Security

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

Coral Cache

[Rob T Firefly]

They deserve a break. [nyud.net]

For the lazy :)

[Spy der Mann]

Powered by Copy-Paste (TM).

Timeline (all times in GMT)
[May 2nd 13:42 GMT]
PharmaMaster Works to Block Traffic to Blue's Corporate Web Site

One of the world's largest spammer's, 'PharmaMaster', sends Blue Security an ICQ message stating that he will block traffic to Blue's corporate website, www.bluesecurity.com

* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)"

[May 2nd 14:47 GMT]
BlueSecurity.com Can't be Accessed Outside of Israel

Blue Security receives another ICQ message from PharmaMaster stating that Blue's corporate Web site cannot be accessed from outside of Israel.

* ICQ Message: "bluesecurity.com cant be open from outside of israel oh i feel sorry for the company really :)"

[May 2nd 15:30 GMT]
Blue Security's Dedicated Servers - NOT Corporate Website - Under Attack

Blue Security's operational servers - NOT www.bluesecurity.com - suffers from DDoS attacks.
[ May 2nd 16:30 GMT]
Corporate Website Receives 2 Hits/Min

Blue employees notice that there is no load on the corporate website, www.bluesecurity.com (2 hits per minute) and that most visitors originate from Israel.
[May 2nd 17:07 GMT]
PharmaMaster Sends Message: Website Can't be Accessed Around World

Blue receives another ICQ message from PharmaMaster stating the company's corporate Web site can not be accessed around the world.
[May 2nd 20:17 GMT]
Blue Performs Technical Analysis: Confirms Website Cannot be Accessed Abroad

Blue's technical analysis team determines that its corporate website can still be accessed from Israel, but cannot be accessed abroad.
[May 2nd 21:17 GMT]
Blue Reports More Symptoms: "Blackhole filtering" Confirmed

Blue's operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level). Still, there is no sign that there was a DDoS attack on Blue's website.
[May 2nd 22:45 GMT]
Blue Security Decides to Update Blue Community

Blue Security decides to update the Blue community about the situation by reverting to Blue's pre-launch "Blue Zone" Blog, hosted on Typepad.
[May 2nd 23:20 GMT]
BlueSecurity.com Redirected to TypePad

www.bluesecurity.com is redirected to Blue Security's blog. Many community members can receive real time information about the attack.
[May 2nd 23:27 GMT]
First Comment Posted on the Blue Blog

Blog site at TypePad functional. The first comment is posted on the Blue blog by a user.
[May 2nd 23:57 GMT]
Last comment Posted on the Blue Blog Before DDoS Begins

TypePad blog site still functional. The last comment is posted thirty minutes later on the Blue blog just before the new DDoS attack occurs. (If there had been an initial DDoS attack on Blue's corporate site, the blog site would have been hit)
[May 3rd 00:00 GMT]
PharmaMaster Starts Attacking Typepad

A fierce and ruthless DDoS on Typepad begins. Blue is not aware of the DDoS due to the late hour in Israel (2 AM local time). Typepad continues to carry Blue Security's blog and help Blue keep our community aware of the situation.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Almost 24 hours later, PharmaMaster boasts success in another ICQ message

* ICQ Message: "pharma master: you know i feel sorry for you a

DNS Vulnerabilities

[Billosaur]

[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.

And it was't all that long ago that DNS vulnerabilities [slashdot.org] were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Re:Yup, this sucks.

[ZachPruckowski]

Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.

Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).

Re:I want names and addresses!

[ZachPruckowski]

The forum that organized (or at least helped in) the attack is located here [specialham.com], but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.

link to information week's article

[DisplacedJoshua]

shameless from digg, but an easy redirect for /.ers without having to read digg's stuff: information week's take on it makes it seem less, well, amazing on the part of the spammers. http://www.informationweek.com/story/showArticle.j html?articleID=187200875 [informationweek.com]

Re:What is?

[Anonymous Coward]

My thoughts exactly.

A Google search showed this slide: http://www.soi.wide.ad.jp/class/20040013/slides/11 /23.html [wide.ad.jp]

Based on that slide, I think that Israeli BGP routers were hacked, adding a null route for the BleuSecurity IPs.

I could be wrong (in fact, I'd bet I am).

Re:For the lazy :)

[Anonymous Coward]

FFS, RTFA. They clearly say that they were blackholed (*NOT* under a DDoS attack) when they redirected their DNS record to point to their blog. It was only after 'PharmaMaster' realized that the record had changed that the DDoS was launched.

PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.

This was not malicious on BlueSecurity's part.

Re:Client List NOT Compromised!!!

[meringuoid]

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed.

This is what annoys me. What are they thinking? They're helping spammers listwash. The fact that a spammer can simply use a diff of his lists before vs. after to find out who's using the service is trivial; the larger point is that even after the list has been purged of BlueSecurity users, the spammer is still spamming. It's addressing only a symptom, not the cause.

They should say to the spammers 'if you continue to spam the addresses of our subscribers, we will continue to jam your unsubscribe addresses and drop boxes with garbage messages, one per spam email received. No, we're not telling you which addresses these are. Stop sending all mail to all addresses for which you do not have a confirmed opt-in, and you will have no further trouble from us.'

That way they're not helping the spammers continue to spam, and I'd feel a lot better about them.

Blackmail tactics

[taupter]

Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.

Re:Pharma Master

[ZachPruckowski]

PharmaMaster is an IM and forum handle. He's a major spammer, and probably responsible for at least some of that junk in my google mailbox's junk folder right now. He is apparently working with a cartel of spammers to try to crush anti-spam attempts. Interesting reading about their planning on the specialham.com spammer's forum was mirrored online somewhere yesterday, but got taken down for some reason.

Maybe UUNET, maybe not

[JohnQPublic]

An InfoWorld article [infoworld.com] from May 4th quoted Blue Security CEO Eran Reshef as saying:

Among other things, Reshef said that pharmamaster claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers.

Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:

1. The spammer lied and it wasn't UUNET.
2. UUNET threatened Blue Security and they caved.
3. Blue Security doesn't want to be threatened.

Re:Nothing

[operagost]

I don't think windows has a similar function readily available.

NUL

Re:"operational system"

[Da_Weasel]

During the DDoS and Blackhole filtering it was only operational in Isreal. The rest of the world was cut off. There were also threatening emails sent to registered users. According to Blue Security their database was not comprimised and the spammer was actually using his own email list to send these email out. Since then I have been receiving 2-3 messages a day from the spammer which contains nothing but the DNS WHOIS record for bluesecurity.com. Here is a copy of the first message I recieved:

"Hey,You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com).

You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

How do you make it stop?

Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again.

We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

Why are we doing this?

Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity. Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

If BlueSecurity decides to play fair, we will do the same.

We are quite sure you will think this will not continue, that we will not continue wasting our resources doing this, feel free to wait out the first 48, or the second, and see whether these stop, you will be quite suprised.

If you have another email under the protection of bluesecurity, and have not recieved this there, do not worry, you will soon enough.

We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user.

You might also notice, that the BlueSecurity site(http://www.bluesecurity.com) is down..

Just remove yourself from BlueSecurity, and make it easier on you.

Marta Tanner"

Re:Nothing

[Anonymous Coward]

I don't think windows has a similar function readily available.

Try "nul:", as in "rmdir banana >nul:"

Re:Maybe UUNET, maybe not

[gbjbaanb]

Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:

4. They're going to be named in a lawsuit, and they don't want to prejudice it with media attention, or counter-suits of defamation.
5. They've contacted the ISP to resolve their issues and don't want to annoy them by publicising who they were.

Re:This isn't just between PharmaMaster & Blue

[Kadin2048]

That thread is great ... I wonder about the Oslo university thing (that's where they've now moved their server to). If anyone here speaks Norwegian and wanted to write them a letter, contact info is on the Digg page. I'm surprised it hasn't gotten taken down already, but maybe the sysop there doesn't read English (I assume all the Digg'ers have been writing in English...).

They also read through the forums and found some of the actual spammers' websites:
http://www.northworks.biz/ [northworks.biz] This one is one of the shadiest, they're selling email harvesters.

In case anyone wants to take matters into their own hands, as one of the Digg people pointed out, there's always:
while :; do curl -o /dev/null http://www.northworks.biz/install_mc_shareware.exe [northworks.biz]; done

His bandwidth bill is going to suck this month...

Re:This isn't just between PharmaMaster & Blue

[user24]

for windows users via a proxy:

@echo off
set http_proxy=http://yourproxyhereifapplicable
rem remove the above if you don't have a proxy server :start
wget http://www.northworks.biz/install_mc_shareware.exe [northworks.biz] --proxy-user
=username --proxy-pass=password
goto start

without a proxy:

@echo off :start
wget http://www.northworks.biz/install_mc_shareware.exe [northworks.biz]
goto start

(save as s batch file in the same dir as wget)

download wget from www.gnu.org/software/wget/

have fun :-)

Why null routing is critical

[macdaddy]

There are dozens of uses for null routing on ISP networks. For example you can use simple static routes to match all private (RFC1918), reserved for special purposes (RFC3330), and unassigned (Google for "BOGON") netblocks and route them to Null0 (a logical interface that basically drops the packets, much like the data bursts are dropped when sent to /dev/null. This is basic ingress/egress filtering that should be deployed on all border routers. You don't want to accept packets destined for your network that claim to be from a RFC1918 address because they are almost certainly spoofed (or another upstream ISP has an idiot for a netadm and your common carrier also employs idiots for not doing ingress filtering on customer access circuits). This is actually less CPU intensive than an access-list. Most mid to upper-end routers today can offload routing decisions to ASICs, whereas access-list decisions still bounce off of the CPU in many cases. You lose much of your logging capabilities with this method however.

A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.

Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.

Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.

There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.

Re:publicity!

[Da_Weasel]

Well it certainly hasn't doubled but it did get roughly a 20% increase. They were just a tad over 400K when they got everything back online. Their site currently shows 471,266 as the number of registered users.

Surviving mirror? (LONG)

[Anonymous Coward]

Posted A/C (despite deserving karma for hauling this crap past the lameness filter), because I cannot verify that this is the content from the specialham.com forums; the original forum posting thread (indicated via digg) has been removed and disavowed by the forum maintainer. However, Googling for a couple phrases that were quoted on Digg turned this up:

///BEGIN MIRROR

>killthem

As many of you here running here websites and being attacked from this fuckers.

Do no clean your lists because they will ask you clean your lists every fucking week they by day they have more and more users signed in.
we have the database of the users that are signed in blue system and were going to fight them.
all sponsors contact me to get the data base and ask your mailers to over spam that database and take down this lamers

waiting for your posts
======== Date 4/30/2006 4:52:25 AM
>LCS

(in reply to killthem)

those fuckers must die and they will.
======== Date 4/30/2006 4:53:57 AM
>killthem

(in reply to killthem)

Right ill post database most mailers can use the emails as from most can clean and give us more lists.
======== Date 4/30/2006 5:39:11 AM
>LCS

(in reply to killthem)

anyone actually using those emails as froms now? we need to stick together in this fight against bluesecurity and their unfair tactics.
======== Date 4/30/2006 6:51:53 AM
>killthem

(in reply to killthem)

The war will start tomorrow but as i know already some people started mailing the database.

Contact me for database i already have it
======== Date 4/30/2006 9:50:15 AM
>starriol

(in reply to killthem)

Which are their unfair tactics? What are they going to start tomorrow?
======== Date 4/30/2006 2:49:49 PM
>Shinjiro

(in reply to killthem)

Their unfair tactics = DDoSing sponsors
The war supposively starting tomorrow[which I dont see helping any] = spamming them even harder

-Shinjiro
======== Date 4/30/2006 5:48:17 PM
>dollar

(in reply to killthem)

Word through the underground is pretty solid right now. Bluesecurity is going to be hit with forces they will not be able to handle. We will see.

Slap an anti a day to keep spamhaus away

Great Affiliate Programs
Custom Bulk Applications
BP Mailing/Hosting/Direct Servers
Contact Me

======== Date 4/30/2006 5:52:10 PM
>Shinjiro

(in reply to killthem)

LOL. This is from the Blue Security website.

quote:

Email marketers and spammers alike have a strong incentive to remove the addresses listed in the Do Not Intrude Registry from their mailing lists and stop sending unsolicited bulk mail to Blue Security customers.

Strong incentive to remove the addresses listed in the DNI Registry huh?
Well see what happens tommorow. This should be very interesting when their clients pay to be on this registry but get bombarded with mail anyway.

_____________________________

-Shinjiro
======== Date 4/30/2006 6:28:57 PM
killthem

(in reply to killthem)

Ok who can mail this databases and make it to be from emails ?
======== Date 4/30/2006 6:49:31 PM
>LCS

(in reply to killthem)

quote:

Ok who can mail this databases and make it to be from emails ?

pm me the link to the database. ill pass it on to the mailers.
======== Date 4/30/2006 6:59:35 PM

>LCS

(in reply to killthem)

take a look at this guys:
Be sure spammers dont use our domains for spoofed From headers too!
AlanJayWeiner - 11:10am Mar 15, 2006 EST

Those of us with our own domains receive lots of false bounce messages - spammers spoof the From header, and other servers bounce a no such address back to us.

These seem to have exploded lately - I was getting 1700-1800/day a couple of months ago, now Im seeing around 4

Re:"operational system"

[starman97]

Only for some type of spam, message placement will still go out.
Stuff like Political ads and prosletyzing where no response is needed
will still go out. But anyone trying to sell some questionable product
from a website or email drop is not going to want to get hammered with the
return of a big percentage of the spam emails.
Phishing and other forms of identity theft are also going to be a lot harder.

If you go to the Bluesecurity site, you'll see they have multiple classes
of spam and responses to each class. Some stuff gets bounced to the FDA, some
to the BSA, even some to MPAA. Childporn looks like it goes to Interpol.

I have no illusions that it will get rid of ALL spam, but it will put the hurt on some spammers and that's 100% better than just trying to filter or ignore the incoming spam.

Re:Slashdot army unite!

[spyrochaete]

The client is only for convenience and is optional. You can sign up for an account and forward your spam (as body or attachment) to username@reports.bluesecurity.com.