Russian Business Network (RBN)

RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report

As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.

Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!

SpamCop Charts live here

Of course not over yet -

fraudcrew.com on IP 64.62.171.193 = 193.64-62-171.reverse.mccolo.com =
net 64.62.128.0/18 =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.

Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.

However, we can assume Hurricane Electric will get around to this 64.62.128.0/18 net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.

Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”

Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”

However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:

The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.

Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”

Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?

RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."

This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.

Concerning RBN (Russian Business Network)

"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.

Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.

• The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.

• 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "

The puzzle of StopGeorgia.ru = follow the rabbit?

To add to the report, and shed light on the ongoing puzzle of the attack site StopGeorgia.ru (click on diagrams to enlarge):

Figure 1 - The IP route diagram route for StopGeorgia.ru (note: steadyhoster.com)

Figure 2. - The IP route diagram for SteadyHoster.com (note: for both fig1 /2 74.86.81.232.infomart.reverse.dnska.com)

Protect Details, Inc - (privatecontact@protectdetails.com)
29 Kompozitorov st. Saint Petersburg, 194358 RU

Figure 3. - Welcome to London GB, the IP route diagram for InnovativeITsolutions.com - actual home of 'StopGeorgia.ru' - AKA; dnska.com reseller for AS36351 SOFTLAYER Technologies

Innovation IT Solutions Corp.

Andrey Nesterenko(admin@mirhosting.com)

95 Wilton Road,

London,SW1V 1BZ,GB

RBN: Atrivo Goes Dark

Not the end, not the beginning of the end, but perhaps the end of the beginning.

As from today the Internet is a little safer, as Atrivo goes dark.

It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.

This is an excellent example of community effort involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators.

Although this is good news we should not relax too much, some of the bad stuff has migrated elsewhere, similar to the self re-distribution of AS40989 RBN Network last year. However, we look forward to the forthcoming ‘Atrivo – Cyber Crime USA’ report version 2.0 from HostExploit which may cast some light on this re-distribution and other bad actors.

Magnanimous in victory we should give the last word to the vanquished as Emil Kacperski long time spokesman and apologist for Atrivo / Intercage said,

“I just put my fate into companies I shouldn't have.”

For the record the CIDR report - RIP