RBN Updates: [Site Block Lists-Apr 9]

TeMerc · **Posted:** Sat Oct 13, 2007 9:07 am

Tom wrote:

Note: This thread is now a sticky containing all news related to the RBN.

By Brian Krebs
Saturday, October 13, 2007

An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company.

The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say

Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites.

One group of phishers, known as the Rock Group, used the company's network to steal about $150 million from bank accounts last year, according to a report by VeriSign of Mountain View, Calif., one of the world's largest Internet security firms.

In another recent report, the Cupertino, Calif.-based security firm Symantec said that the Russian Business Network is responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering.

nwz

Washinton Post Online
digit DiggIt

JeanInMontana · **Posted:** Mon Oct 15, 2007 10:39 am

We have known this for how many months/years? It's no wonder cybercrime thrives.

TeMerc · **Posted:** Tue Oct 16, 2007 3:44 pm

The RBN scumbags have replied, indicating that the whole world is nuts and they're the only sane ones.

Quote:

"We can't understand on which basis these organizations have such an opinion about our company," Jaret of the Russian Business Network told Wired in an e-mail interview. "We can say that this is subjective opinion based on these organizations' guesswork."

Jaret from RBN told Wired that the organization in fact "doesn't have any more criminal activity on its network than any other provider, and it responds to abuse reports submitted via e-mail and a telephone hotline. He claims the organization closes criminals' sites down within 24 hours of notification."

Perhaps the most telling statement from RBN thus far comes at the end of the Wired article, in which Wired News asked RBN to provide the URLs for some legitimate customers. "Jaret says he couldn't oblige -- for legal reasons."

Security Fix Blog

0-=

Wired

JeanInMontana · **Posted:** Tue Oct 16, 2007 4:19 pm

Bullshit, I say!! It might not have anymore than the other well known criminal networks, like EST and InHoster. But it sure has more than the majority of networks known for not engaging in criminal activity.

TeMerc · **Posted:** Sat Oct 20, 2007 3:04 pm

Not specific to RBN, but to Russia.

What’s Russian for ‘Hacker’?
By CLIFFORD J. LEVY
Published: October 21, 2007

Quote:

PERHAPS the most famous con artist of the Soviet era was a fast-talking, eye-winking, nimble-fingered, double-dealing journeyman named Ostap Bender. He was fictional, the antihero of a satirical novel about a quest for lost jewels called “The 12 Chairs,” but his casual disdain for the law reflected a widely held cynicism here.

“This misdeed, though it does come under the penal code, is as innocent as a children’s game,” Bender says of a scheme to use a purloined document to steal another man’s identity.

Were Bender to ply his trade these days, he would undoubtedly be sitting in front of a computer, spewing out e-mails that slyly ask for credit card information or hawk sexual aids and other flimflam. Russia has become a leading source of Internet ills, home to legions of high-tech rogues who operate with seeming impunity from the anonymous living rooms of Novosibirsk or the shadowy cybercafes of St. Petersburg.

The hackers go by names like ZOMBiE and the Hell Knights Crew, and they inhabit such a robust netherworld that Internet-security firms in places like Silicon Valley have had to acquire an expertise in Russian hacking culture half a world away. The security firms have not received much assistance from the Russian government, which seems to show little interest in a crackdown, as if officials privately take some pleasure in knowing that their compatriots are tormenting millions of people in the West.

In fact, Russian hackers became something akin to national heroes last spring when a wave of Internet attacks was launched from Russia against Web sites in Estonia, the former Soviet republic. The incidents began after the Estonians angered the Kremlin by moving a Soviet-era war monument.

NYTimes Online

MysteryFCM · **Posted:** Sun Oct 21, 2007 7:46 am

http://taosecurity.blogspot.com/2007/10 ... twork.html

TeMerc · **Posted:** Sun Oct 21, 2007 11:22 am

Steven I ran acorss that blog last nite and then this one below as well, nice detailed stuff. I increased my GN feed a couple links.

RBN Blog

MysteryFCM · **Posted:** Sun Oct 21, 2007 11:54 am

Nice one

TeMerc · **Posted:** Mon Oct 22, 2007 11:24 pm

RBN – The Top 20, fake anti-spyware and anti-malware Tools
Monday, October 22, 2007

Quote:

In a continuation of the discovery of the RBN’s “Retail Division” one of the most important exploit delivery methods is the fake; anti-spyware and anti-malware for PC hijacking and personal ID theft, this is a source of revenue for the RBN also from a direct sale.

RBN Exploit blog

TeMerc · **Posted:** Wed Oct 24, 2007 10:19 am

Over 100 Malwares Hosted on a Single RBN IP

The never ending Russian Business Network's saga on whether or not they host malware on behalf of their customers enters in an entirely new phrase with the discovery of over 100 malwares hosted on a single IP - 81.95.149.51/ms where the directory listing indicates that the earliest binary was uploaded on 19-Sep-2006 and the most recent one on the 28-May-2007.

If only was the directory listing denied we would only be speculating on such a development, and as it's obvious that it isn't sooner or later they'll simple rename the directory as they apparently did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the current state.

0-=

Dancho Danchev blog

TeMerc · **Posted:** Thu Oct 25, 2007 8:10 am

RBN - PDF email Exploit

Quote:

Thanks to the input from Honeyblog.Org providing detailed confirmation related to the earlier ZDNet article, concerning the latest exploit involving PDF files attached to email courtesy of the RBN.

The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (here). The exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.

RBN Blog

TeMerc · **Posted:** Mon Oct 29, 2007 8:14 am

RBN - More of the RBN's fake anti-spyware and anti-malware tools (2 of 3).

Quote:

As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

RBN Exploit blog

TeMerc · **Posted:** Sat Nov 03, 2007 2:30 pm

Detecting and Blocking the Russian Business Network

Saturday, November 03, 2007

Quote:

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets :

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown, Do what you will with this information."

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do:

Quote:

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible"

Dancho Danchev Blog

TeMerc · **Posted:** Sun Nov 04, 2007 10:36 am

RBN - Fake Tools, Rogue software, Bank of India, PDF, and more – the common thread (3 of 3)

Sunday, November 4, 2007

This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.

RBN Exploit Blog

Additional rogue anti-spyware applpications:

1stantivirus.com
Adwarebazooka.com
adwaredelete.com
Adwarepunisher.com
Anti-virus-pro.com
Hitvirus.com
Innovagest2000.com
pesttrap.com
razespyware.net
Remedyantispy.com
Spycontra.com
spycut.com
Spydeface.com
spydemolisher.com
Spyiblock.com
spywareno.com
Virushammer.com

TeMerc · **Posted:** Tue Nov 06, 2007 6:18 pm

I See Alive IFRAMEs Everywhere

Tuesday, November 06, 2007

During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?

0-=

Danchev Blog

TeMerc · **Posted:** Wed Nov 07, 2007 9:26 am

RBN goes *Poof*?

November 7th, 2007 by Feike Hacquebord

Quote:

Yesterday, the infamous Russian Business Network (RBN) dropped out of the Internet at around 7 PM PST. Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer. It could be that the upstream providers who provided RBN with Internet connectivity may have terminated their services to their problematic customer temporarily or (hopefully) even permanently. Trend Micro will continue to closely monitor whether RBN remains down.

The Russian Business Network is notorious for hosting lots of malware and Web browser exploits. These threats have been injected into thousands of legitimate Web sites. Customers of RBN abuse the latest exploits for their nefarious purposes. The most recent example is a security issue in Adobe’s Acrobat Reader that was fixed only a few weeks ago.

That RBN, currently, has no Internet connectivity means that the Web is a somewhat safer place today. Unfortunately, this may not be for long. RBN may find new upstream providers. In recent weeks, moreover, Trend Micro has seen equivalents of RBN pop up in Turkey and Taiwan. These hosting providers seem to have the same kind of customer base as RBN. Thus, even if RBN drops off of the Internet permanently, its customers might find a new home soon. TrendLabs is also closely monitoring the activities in the mentioned new suspicious networks.

Trend Labs Blog

MysteryFCM · **Posted:** Wed Nov 07, 2007 9:35 am

Excellent news, but I can't see it lasting long ....

TeMerc · **Posted:** Wed Nov 07, 2007 9:50 am

MysteryFCM wrote:

Excellent news, but I can't see it lasting long ....

Agreed, they are more than likely just re-configuring things on their end. I'd be surprised if by days end they are not back up.

TeMerc · **Posted:** Wed Nov 07, 2007 11:48 am

Russian Business Network: Down, But Not Out

Quote:

A major Russian Internet service provider whose client list amounted to a laundry list of organized cyber crime operations appears to have closed shop. But security experts caution that there are signs that the highly profitable network may already be building a new home for itself elsewhere on the Web.

The Russian Business Network, an ISP and Web hosting provider long based in St. Petersburg, Russia, this week relinquished most of its allocated Internet addresses after a number of its main upstream Internet providers severed ties with the group.

While RBN may appear to have been vanquished, experts at anti-spam group Spamhaus say there are strong indications that a huge swath of Internet space recently established in China may soon emerge as the next incarnation of the Russian Business Network. If Spamhaus's assumptions are correct, RBN's new home would include several times more additional Web hosting capacity than its previous location in Russia.

Not everyone is willing as yet to attribute the Chinese address registrations to RBN. Matthew Richard, director of the rapid response team for iDefense, a security company owned by Verisign, said it's too soon to draw that connection definitively. But according to Richard, RBN's customers began preparations for moving to other providers shortly after The Post published my RBN story

Security Fix

TeMerc · **Posted:** Thu Nov 08, 2007 7:42 am

The Russian Business Network Has Closed Shop?

Thursday, November 8, 2007

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

81.95.144.0/22 = Withdrawn
81.95.148.0/22 = Withdrawn
81.95.154.0/24 = Withdrawn
81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude:

81.95.145.0/22 = Still active
81.95.146.0/22 = Still active
81.95.147.0/22 = Still active

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.
0-=

RBN Exploit Blog

TeMerc · **Posted:** Thu Nov 08, 2007 9:32 am

RBN – Russian Business Network, Chinese Web Space and Misdirection

Quote:

There has been recent speculation concerning the Russian Business Network (RBN) and its increasing use of Chinese web space. By way of discussing this topic it is useful to quantitatively view this aspect via a practical example. We can kill 2 birds with one stone and do this via a requested update on “iFrame Cash”.

The iFrame Cash is an active RBN enterprise we call here part of the RBN “Retail Division”. Simply the RBN pays webmasters or small web hosts a commission for planting or injecting IFrame exploits on web sites, this is done via the web site iframedollars.com and others.

Iframedollars has recently changed its IP location as it has done regularly since 2004, joining the dots

RBG Exploit blog w\Screen Shots

TeMerc · **Posted:** Sat Nov 10, 2007 4:35 pm

Update: Russian hacker gang vanishes day after moving to China

Gregg Keizer

November 10, 2007 (Computerworld) -- The shadowy hacker and malware hosting network that only recently fled Russia to set up operations in China has now pulled the plug there and vanished yet again, researchers said late Friday.

The latest disappearing act of the Russian Business Network (RBN) has left researchers scratching their heads. "Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang. "What's really interesting is how fast they shut everything down."

Rather than return in that format, RBN may even now be breaking up into smaller pieces farmed out to multiple countries' Internet infrastructures. "That may keep it under the radar, but it's also more expensive for them and it's riskier, too, because the more ISPs that it has to deal with, the better the chance that one of those ISPs says 'no' to hosting RBN content and shuts them off," said the analyst.

On the plus side (for their clients), by splitting up RBN can delay detection and make prosecution difficult. "It's a lot harder for law enforcement when there are six or seven countries involved," said the iDefense researcher. "But I think we'll be able to track them. We've done that kind of thing before when a group has been spread across two or more ISPs."

But as a monolithic, centrally-controlled organization -- ironically the model that dominated the now-defunct Soviet Union -- RBN is likely dead. "As we've known it, I think RBN is gone," said the researcher

0-=

Computer World

MysteryFCM · **Posted:** Sat Nov 10, 2007 4:41 pm

This is hillarious;

Quote:

"Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang

.... Great, employee wants to remain anonymous but doesn't care about the employer?

TeMerc · **Posted:** Sat Nov 10, 2007 4:45 pm

MysteryFCM wrote:

This is hillarious;

Quote:

"Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang

.... Great, employee wants to remain anonymous but doesn't care about the employer?

Guess I guy has to have priorities. rofl

MysteryFCM · **Posted:** Sat Nov 10, 2007 4:59 pm

TeMerc · **Posted:** Mon Nov 12, 2007 9:44 am

RBN Basing Ops From India?

Monday, November 12, 2007

Although most report the Russian Business Network (RBN) has disappeared, this RBN watch-blog still follows its active domains, its “retail division”. In a follow up to an earlier article on 76 Service, Gozi, hang Up Team and US Hosting, same business just different location and an added common thread.

As we can see although using a new domain it still displays the familiar RBN “76 Service” branding.

Common name servers i.e. orderbox-dns and optical jungle with corresponding IP ranges, both within AS30315 and AS31898. These two domain ranges are part of Resellerclub and Logic boxes, which in turn is owned by Directi.com.

This blog is not suggesting anything more (at this time) than Directi have joined the ranks of the RBN host / name server “stooges”. Hopefully Directi will respond to the related abuse communications promptly.

0-=

RBN Exploit Blog w\screen shots

Last Son · **Joined:** Sun Jan 30, 2005 5:32 am **Posts:** 89

TeMerc wrote:

MysteryFCM wrote:

This is hillarious;

Quote:

"Where have they gone, that's the question," said an analyst with VeriSign's iDefense Labs, who wanted to remain anonymous, leery of retribution from the gang

.... Great, employee wants to remain anonymous but doesn't care about the employer?

Guess I guy has to have priorities. rofl

hahaha, thats the silliest thing i ever saw :lol:

if anyone ever has some sort of semi decent impact on this group, its likely not even going to make a greenfly sized hole in their finances - they're not going to send out a hitman armed with cheesewire after them cause they just ain't gonna care.

TeMerc · **Posted:** Wed Nov 14, 2007 7:32 pm

Online Publishers Powerless Against RBN's Malicious Ads

By Lisa Vaas
November 14, 2007

Online advertising managers have no tools to stop malicious code from infiltrating their sites, and the RBN gang is reaping the ill-gotten benefits.

Nov. 12 was just another busy day in the life of an advertising manager for a well-regarded online publisher. We'll call her "Laurie Smith," but it doesn't matter who she is or who the publisher is, because her experience is typical in an industry that is now enduring a plague of malware infiltration that it's all but powerless to stop.

Smith was lucky that day. Unlike scores of other online publishers' advertising managers—such as those at Google, Yahoo, the Wall Street Journal, The Economist, Major League Baseball's MLB.com and the National Hockey League's NHL.com—by the end of the day, she could breath a sigh of relief since her site's advertising was not overlaid with malicious code.

There is, in fact, a scourge of so-called "badvertising" infiltrating legitimate sites. Since Sept. 22, the ads have been finding their way into the servers of the advertising industry's biggest players, such as DoubleClick.(See Here)

nwz

eWeek

TeMerc · **Posted:** Thu Nov 15, 2007 8:12 am

RBN – Faking its demise

Thursday, November 15, 2007

Quote:

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.

HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.

RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

RBN Exploit Blog w\screen shots & Analysis

TeMerc · **Posted:** Sun Nov 18, 2007 6:28 pm

The "New Media" Malware Gang

Sunday, November 18, 2007

Quote:

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used.

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

DDanchev Blog w\screen shots

RBN Updates: [Site Block Lists-Apr 9]

Who is online

Who is online

Who is online
	In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes) Most users ever online was 115 on Tue Jul 13, 2010 5:32 pm Users browsing this forum: No registered users and 1 guest