RBN – New and Improved Storm Botnet for 2008

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

Many will now have already seen reports of the Storm Botnet outbreak which started on December 24th “MerryChristmasDude” with good write up at ComputerWorld and for technical details at ISC Sans or HolisticInfoSec (links on footer). This picture is changing rapidly and by December 26th there were new web sites “Uhavepostcard” , “HappyCards2008” and no doubt more to come over the next few days.


Three of the key web sites have the following registrant information, all registered via “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)” in chronological order:

Domain Name: MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007

Domain Name: UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007
Domain Name: HAPPYCARDS2008.COM - Creation Date: Dec 26 2007



The key objective for the RBN is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.



There are some interesting elements concerning which make this attack innovative:


# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links for example on a small sample;

hxxp://dantipXXXX.blogspot.com/?soapwerzpordeecaspewtkk153trajspeak hxxp://isakovkapitonXXXX.blogspot.com/?harkwerzpordeecaspewtkk153trajfloor

The common part of the suffix is “pewtkk153traj” which redirects to Geocities web sites and then a further redirect to the Storm exploit domains.


# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.


# The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses (see sample maps below taken within one hour periods and show the fast-flux DNS changes). It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.











Computerworld - Storm Worm Christmas
Computerworld - Storm New Year
ISC Sans - Anticipated Storm
HolisticInfoSec

RBN – $$$ - the retail payment systems

In an extension to analysis of the Russian Business Network (RBN) this is the first element of a series on RBN payment systems.


This article focuses on just one of the several payment systems for its “fakes” retail division i.e. isoftpay.com, this has been reported before namely the Sunbelt Blog (see links on footer) Oct 3rd 06 in the report on the rogue software, also more recently reported within 2-spyware on Dec 10th 07.








In exploring this node of the RBN’s organization it raises several areas of interest; the location(s) of internet operation, SSL and transactional base. Briefly by way of an introduction to later more in depth analysis malware revenue models, analysis solely of isoftpay does provide a starting point for some generalized assumptions of RBN retail revenue. Therefore as mentioned within earlier articles here on fakes and current analysis:



(a) Isoftpay serves as the payment point for such fakes as Bravesentry, and others.


(b) Secure. Isoftpay.com over the last 30 days (mid Nov – Mid Dec) received 187,750 direct unique visitors from the US.


(c) This tends to demonstrate approximately 25% of the unique visitors to those rogue software web sites go back to the payment site. As directed by the exploits downloaded from the “free” trial of the fake anti-spyware.


(d) On a reasonable assumption a high proportion of those directly visiting the secure payment area after downloading the exploit to make the purchase, say 75%, this would provide gross revenue of say $4 million per month from solely US visitors.


(e) As US visitors represent 17 – 40% of the world wide audience for such sites one can assume gross revenue as being in the region of $10 million / month, $120 million per annum.




A significant component is the SSL (Secure Sockets Layer) and certification the figure below shows the current certificate for Isoftpay.

The certificate appears legitimate unfortunately we have not as yet ascertained from Equifax or Geotrust whether it is a forgery, and if not, they should be able to inform us who the purchaser was.


Also of interest is the payment transactions and as site takes Visa and MasterCard, and further enquiries are outstanding as to who the revenues collected are paid to.

Finally as several victims have contacted the authors of this blog, and any transaction is fraudulent. No doubt Equifax, Geotrust, Visa and MasterCard will act swiftly to prevent further fraudulent transactions and ensure victims at least gain a return of their payments?



From the perspective of the RBN’s nodes of operation originally as noted by Sunbelt the IP address in Oct 06 was 69.50.168.101 - AS27595 ATRIVO. The figure below shows the current (Dec 19th 07) and a comparison with locations on Oct 28th 07, the actual only difference is the addition of name server (ns3.isoftpay.com) served from AS4837 CNC Group China. The other servers are some of the RBN’s usual suspects AS9930 TTnet Malaysia, AS4657 StarHub Singapore, and it goes without saying AS27595 Atrivo AKA Intercage, Inhoster, etc.





Below is shown in figures two IP and AS maps of the Isoftpay and related domains









References: Sunbelt 10/06 2-Spyware.com 21/07

RBN – The Russian Business Network, Now and Then

Observing the Russian Business Network (RBN) this blog is pleased to introduce readers to a highly informative 70 page study of RBN by David Bizeul which you can download in PDF format in English (see links on article footer).





Figure 1 – RBN Offices
12 Levashovskiy Prospect.
197110 Saint-Petersburg, - Russia






The study provides extensive information and analysis on the background of the RBN; from its probable physical locations (see figure 1 for the RBN offices), Russian cybercrime, and one of the study’s conclusions is very telling, this blog wholeheartedly agrees with and also add international law enforcement.


“There are some countermeasures available but none makes sense for the home user or even companies. Only ISPs, IXPs and Internet regulators can help in mitigating the risks originating from RBN and other malicious groups.”


As with most investigation of RBN, including this blog, we are confined to retrospective analysis, however David’s RBN study is very important, as it provides a definitive image of the RBN just before they reorganized. This is crucial for authors of this blog and other researchers as it provides a comparative base for current analysis and RBN activity. For example within a very early article on this blog we described the Internet serving locations of a number of exploit and Rock phish, landing web sites. This can be seen in Figure 2 (click to enlarge) with the previous and current servers for these domains.





Interestingly AS36420 for the 75.125.89.178 IP address resolves to Everyones-Internet3 – for this and to show connection, this is the same route as shown on Castlecops for Lloyds TSB, Rock Phish (banking ID phishing).

The name servers shown for all in Figure 2, are our good friends, i.e. AS 27595 i.e. Atrivo, Intercage, Inhoster, Estdomains. With even more interest is the same name-server also hosts the following “fakes”.

e.g. - antispygolden.com, hitvirus.com, malwareburn.com, procodec.com, videohook.com, virusheal.com

These are purely a sample for this server, below are shown in Figures 3 and 4 the IP mapping as samples.

We hope this provides further examples of the RBN’s current well being, also to add we are pleased to announce in collaboration with David Bizeul we will provide an update for this RBN study, within the next few weeks.


Figure 3. Name Server Map example



Figure 4 - IP Map example


References and downloads:

David Bizeul - RBN Study here or here - Castlecops Rock Phish - Original RBN IP blog article

RBN – Google Search Exploits

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.


The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.


The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.


This particular web search exploit for the unfortunate end user can be shown as:




From investigation into the actual Trojan downloads this shows the use of the newer undistributed till now edition of MPack which includes a host of exploits including the scam.Iwin, keyloggers, DNS changers, etc. Despite the difficulty of tracking botnet fast-flux usage by detailed investigation of the specific domain name servers the details are as follows, with this information Google and other search engines should easily eliminate such a threat, and hopefully provides law enforcement with further evidence:



1 – The web search “fake” sites.


All researched in this exploit all these fake web search sites emanate from 2dayhost.com an apparent botnet based at AS8001 Net Access Corporation 1719 Route 10 Suite 318 Parsippany, NJ 07054. In the following sample of the domains and name servers involved at this stage: feidqaadppta.cn - igekqzeabkwz.cn - luewusxrijke.cn - zhvmizyycuzz.cn All were registered very recently on Nov 25th 2007 under Name Server: ns1.erik-kartman2.com and Name Server: ns2.erik-kartman2.com – also based at 2dayhost.com / AS8001 Net Access Corporation (please note despite the .cn the domains and registrant have nothing to do with China).


Figure2 – Fake search site map



2 – Victim Reception sites.

As mentioned earlier the “usual suspects” of iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster, are responsible. The following 3 figures show the relationship (click on the pic to see full size):



Figure 3. Victim reception A




Figure 4. Victim reception B



Figure 5. Victim reception C

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:


  • Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.


  • The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.



  • These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.


  • Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL











Figure 4 - Sample IP Map - Zerocodec

RBN – PC Hijacking via Banner-Ads on Major Web Portals

The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.



How the exploit works, servers and locations (confirm Explabs):

Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download





Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.







Figure 3 – Secure Hosting Bahamas



As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:


  • AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 190.15.72.0/21

  • AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 87.117.192.0/18

  • AS33510 SETUPAHOST - Toronto Canada - IP range involved - 66.244.254.0/24

  • AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 77.91.224.0/21

Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.





This important exposure is thanks to excellent CYBERINT work within the community, references:

Explabs - Wired.com - Sunbelt

RBN – Russian Business Network - Faking its demise

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.


HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.


RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .





For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.







RBN – 76 Service Team, Loads cc, and their location

Although most report the Russian Business Network (RBN) has disappeared, this RBN watch-blog still follows its active domains, its “retail division”. In a follow up to an earlier article on 76 Service, Gozi, hang Up Team and US Hosting, same business just different location and an added common thread.



Fig 1. Common thread – the RBN’s slogan?


76 Service is now 76 Team.com (click on pic to see detail)

Fig2. Current 76 Service user landing page

As we can see although using a new domain it still displays the familiar RBN “76 Service” branding. Just to remind ourselves subscribers to 76 service can log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to, e.g. 3.3 GB one containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.




Loads.cc (click on pic to see detail)

Fig3. Loads.cc – Order page


As reported Loads.cc allows less technically proficient cyber-criminal affiliates to "cash in”, the site provides information on the availability and size of the botnet in real-time. Although it has been seen this method is different from that of other similar schemes, such as 76service whereas Loads.cc allows you to pay to infect computers.







Common Thread?

  • 76 Team (back1.76team. com or bavk1.76team.com) – IP = 208.72.170.189 = AS 26780 MCCOLO - USA
  • Loads.cc – IP = 212.24.53.4 AS 15756 CARAVAN ISP "CARAVAN" Moscow, RU
Although the two sites appear dissimilar we have to dig a little deeper , examine the next two figures


Fig 4 (a) 76 Service / Team Name servers (click on pic to see detail above)



Fig 4 (b) Loads cc Name servers (click on pic to see detail above)



The common thread is in two parts:

  • Loads.cc infects the PCs, 76 Service / Team sells the IDs from those same infected PCs.
  • Also as figs 3 & 4 show the common name servers i.e. orderbox-dns and optical jungle with corresponding IP ranges, both within AS30315 and AS31898. These two domain ranges are part of Resellerclub and Logic boxes, which in turn is owned by Directi.com.


Directi is a very fast growing web hosting and reseller based in India. From its own literature it places a value of $300 million. The slogan in Fig1 is from Directi, and we hope does not reflect the RBN’s constant aim.

Infrastructure:
  • Directi has offices in India and UAE
  • The new Directiplex, being designed by Hafeez Contractor, a $25 million facility with a capacity of 1700 people, will be ready by December 2007
  • Directi has also opening two offices in China - Beijing and Xiamen
  • Directi has partnerships with several datacenters worldwide and operates hundreds of servers worldwide for its various businesses

This blog is not suggesting anything more (at this time) than Directi have joined the ranks of the RBN host / name server “stooges”. Hopefully Directi will respond to the related abuse communications promptly.



Fig5 Directi Ops




It is reasonable to draw the following quantitative conclusions from the above and related:

  1. 76 Service / Team and Loads.cc are synonymous RBN retail operations, working both sides of botnet operations and exploiting personal IDs.
  2. They are both now operational via Indian web space and elsewhere via Directi
  3. The community and this blog as a whole have helped to force the RBN from their own servers, the original 76 Service base within Noc4 Hosts, The Planet, and elsewhere, due to publicity and improved CYBERINT and blocking. This not the time to belive in the demise of the RBN, for historians the first time was in 2004.

References:

Original disclosure on 76 Service Recent article on Loads.cc

RBN – Russian Business Network, Chinese Web Space and Misdirection

There has been recent speculation concerning the Russian Business Network (RBN) and its increasing use of Chinese web space. By way of discussing this topic it is useful to quantitatively view this aspect via a practical example. We can kill 2 birds with one stone and do this via a requested update on “iFrame Cash”.

The iFrame Cash is an active RBN enterprise we call here part of the RBN “Retail Division”. Simply the RBN pays webmasters or small web hosts a commission for planting or injecting IFrame exploits on web sites, this is done via the web site iframedollars.com and others.

Iframedollars has recently changed its IP location as it has done regularly since 2004, joining the dots (NB. Click on the images to see the detail):


1. iframedollars.com

= 58.65.234.17, ns1.iframedollars.com = 58.65.234.17, ns2.iframedollars.com = 58.65.234.18, MX iframedollars.com (mail server) = 58.65.234.17

58.65.234.0/24 = HOSTFRESH Internet Service Provider Pacific Internet (Hong Kong) Limited (Customer Route) REACH (Customer Route) = China?



2. myrdns.com / hostfresh.com

ns1.hostfresh.com = 58.65.238.100, ns2.hostfresh.com = 58.65.238.101

For, myrns.com sharing IP records = us1core.hostfresh.com, jishuqi.cn, shippingnv.com



3. For us1core.hostfresh.com


4. AS27595 = Intercage






So at this time:


(A) iFrame dollars facts ;
Host = Hostfresh, ICANN registrar = Estdomains, IP address changes = 14 (2 years), Who is records = 44 (since 2004). Alexa rank = #605,524 up 62,752 in the last 3 months

(B) Hostfresh facts ;
Host = Myrdns, ICANN registrar – IP address changes = 5 (2 years), Who is records = 233 (since 2004). Alexa rank = # 361,013 up 387,6323 in the last 3 months


(C) Intercage facts:
As reported earlier Intercage = AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), Estdomains, (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for at least 34 of the 40 RBN fakes.


(D) IMPORTANT NOTE;
58.65.239.66 was also one of the 2 domains involved in the Bank of India hack.


In conclusion; 58.65.232.0 - 58.65.239.255 = HOSTFRESH = Hong Kong (PRC) / China?

This is Intercage again, to restate, many forum and other Internet user complaints dating back to 2004, and blacklisted by Spamhaus. However such blacklists are predominately used to block access “from” e.g. spam, we need a CYBERINT system to prevent access to. Currently only systems such as McAfee’s Site Advisor provide a web users guide and this is not perfect.




Also hopefully this example demonstrates that when watching the RBN because an IP address shows a Hong Kong / Chinese / Russian registrant or has Chinese or Russian writing does not mean it is actually based and hosted there.



Simple observation, just assume anything associated with the RBN is based on misdirection in the first place.

RBN – The Russian Business Network Has Closed Shop?

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

The good news is the publicity shy RBN does appear to have responded or is being forced to respond to being under the microscope as reported by Brian Krebs of the Washington Post. The bad news is the RBN IP ranges reportedly withdrawn are not the current RBN IP ranges utilized in current exploits. The excellent work of Geoff Huston and his cidr-report provides great information for those interested in the AS (Autonomous Systems) side of the Internet. This shows the following:

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn

- 81.95.148.0/22 = Withdrawn

- 81.95.154.0/24 = Withdrawn

- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active

- 81.95.146.0/22 = Still active

- 81.95.147.0/22 = Still active

Historically there have been many welcome reports of the demise of the RBN and their acolytes stretching back to 2004. Without any political bias it is reminiscent of being told the war in Iraq, is over circa 2003. To maintain a focused watch on the RBN as an organically growing organization is one of the main reasons a few of us created this blog in 2007.

This blog can only repeat the RBN as an organization uses many; guises, name servers, routes, stooges, etc., to operate under the radar and confuse. The excellent recent publicity through the many blogs, e-zines, and newspapers currently must only assist in gaining the necessary attention required. If only for the current 4 million plus and growing Internet users who will visit the RBN fake sites this month, and the many more who will suffer due to iFrame injections, Mpack and more. It is appropriate for a cynical view of any RBN related actions, and even more importantly maintain our vigilance.

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.

RBN - Fake Tools, Rogue software, Bank of India, PDF, and more – the common thread (3 of 3)


This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.




From article 2 of 3 we were able to demonstrate at least 40 of about 57 well known fake anti-spyware / anti-malware / rogue software products originated from RBN sources. Also it is known the RBN was behind other recently publicized events such as; Bank of India hack, PDF exploit, so what is the common thread?

Firstly let us highlight a few key RBN “retail” exploit delivery methods:

a. Gozi/Ursnif/Snifula trojans = 76service, PDF exploit, etc.

b. Trojan Zlob + = Malware Alarm, AntiVirGear, etc.

c. iFrame = iFrame Cash, Bank of India etc.

To target the RBN (figure1) we compare the delivery methods with specific organizational elements, for simplicity it is based upon the AS (Autonomous System -- A collection of routers under a single administrative authority):

RBN (AS 40989) – Source and destination of a majority of RBN fakes, PDF exploit and the Bank of India Hack.


Estdomains (AS 27595) – The domain registration and has its own hosting for the majority of the RBN fakes, also X-TRAFFIC.BIZ was also one of the key domains used in the Bank of India hack, within Intercage.




Intercage (AS 27595) - AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for 34 of the 40 fakes, but also does carry IP address 58.65.239.66 also one of the 2 domains involved in the Bank of India hack.




The “5” stooges – are alternative hosts or carriers of many of RBN fakes and other RBN exploits. To be charitable it could be said these are just being duped, however noting the many complaints within security forums and blogs over some time this blog is not inclined to be charitable, they are:

CRONOS - AS 42773 (Latvia)

GLOBALTRADE - AS 39634 (RU)

PILOSOFT - AS 26627 (US)

STARHUB - AS 4657 (Singapore)

TIMEDOTCOM - AS9930 (Malaysia)


In conclusion:

It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month

The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc.

The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa.

For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!


References:

These 3 articles could not have been possible without the information, feedback and encouragement of many, in particular:

Dancho Danchev - Scott Berinato and Don Jackson - Symantec - McAfee’s Site Advisor -
Spyware Warrior - ISC Sans - ZDNet



Appx - Final list of the 57 fakes / rogue software- 40 specific RBN studied, 17 other lesser fakes;


RBN Top 40:
adprotect.com
adwareremover2007.com
antispyzone.com
antivermins.com
antiverminser.net
antiverminspro.net
antivirgear.com
antivirusgold.com
antivirusgolden.com
bravesentry.com
drives-cleaner.com
eprotectpage.com
magicantispy.com
malware-alarm.com
malwarealarm.com
malwarewipe.com
sigmacode.biz
spyaxe.biz
spydawn.com
spyheal.com
spylocked.com
spysheriff.com
spy-shredder.com
spyshredderscanner.com
spytrooper.com
spywall.net
spywarequake.com
thecleanersystem.com
thesafebar.com
thespyguard.com
virusburst.com
virusheal.com
virusprotectpro.biz
virusprotectpro.com
virusray.com
virusrescue.com
wildgadgets.biz
windowsafesurf.com
xmalwarealarm.com
xspy-shredder.com



Other 17:
1stantivirus.com
Adwarebazooka.com
adwaredelete.com
Adwarepunisher.com
Anti-virus-pro.com
Hitvirus.com
Innovagest2000.com
pesttrap.com
razespyware.net
Remedyantispy.com
Spycontra.com
spycut.com
Spydeface.com
spydemolisher.com
Spyiblock.com
spywareno.com
Virushammer.com

RBN - More of the RBN's fake anti-spyware and anti-malware tools (2 of 3).

As requested this article (2 of 3) continues from the Russian Business Network (RBN’s) Top 20 “fake” or “rogue software” series concerning the RBN’s Retail Division. The first article provided details of 20 such products focused on the delivery method and the need for dynamic CYBERINT (cyber intelligence) to encompass the multiplicity of other mirrored hosts and servers. This article provides further exposure of 21 to 40, but to extend the theme to a historical awareness of these ongoing and active threats. The third article will focus on the question, “Are these entire 40 fake products all RBN?” – The brief answer here is a quantifiable - yes!

A further example in this 21 – 40 group is AntiVirGear,again the same user exploit mode is used is stealth based malware, and according to McAfee’s Site Advisor provides a host of bad downloads for the unsuspecting user. AntiVirGear makes a fairly recent entrance to this scene, and appears within spyware forums and other security sources e.g. Symantec (September 13, 2007), but AntiVirGear is not new. The exploit variety here is based upon the Trojan Zlob or variant, well known in earlier names such as spysherriff, antispyware-gold, etc., with recorded sightings form 2004 and 2005.



The further batch 21 – to – 40 is shown here in Table 4.







Again many are alive and well and doing good business for the RBN despite most of the core IP addresses are blacklisted. However when compared with the 1st article again there is the common thread of interrelated hosts or mirror servers, see Table 5.




The tables in the 1st article and the tables here, and RBN related information helps to provide two important observations:

(a) The most important $$$ earning or key activities e.g. Malwarealarm, AntiVirGear, within the “fakes” category, but also as shown with the current PDF and Gozi attack are directly served with AS 40989 = RBNetwork (RBN).


(b) 36 out of 40 of the RBN fakes are hosted or mirrored via AS 27596 = Intercage


Intercage (US) AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27596 - level of responsibility?). Intercage has a history relating to the RBN “fakes” as noted back as early as 2005 / 2006 for example Spyware Warrior forum. In February 2006 there was an online debate where ZDnet questioned ISC Sans suggestion to drop the blocking of all of Intercage, their arguement being there were “some” legitimate customers there.


There are two conclusions that could be made from this:


1. It has been suggested to the authors of this blog, it will not be until some of the victims of these fakes and RBN begin and successfully pursue legal actions against such server enterprises the legitimate ones will ensure they consider a level of due diligence in accepting or continuing to be the vehicle for such illegal activities.


2. Clearly IP blocking in a fast, responsive and comprehensive “OpenDNS” CYBERINT format as a method for ISPs and users is long overdue. There is a big difference between say iPower when they are careless victims themselves in getting 10,000 web sites hacked, and such an obvious case as Intercage - AKA RBN.


Finally as a reminder that this is a “now” problem and large scale see a sample in Table 6 from 21- 40, this would show about 3-4 million users as visitors worldwide to the 40 sites, per month “NOW”.




RBN - PDF email Exploit

Thanks to the input from Honeyblog.Org providing detailed confirmation related to the earlier ZDNet article, concerning the latest Gozi Trojan exploit involving PDF files attached to email courtesy of the RBN.



The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (
here). As stated within this blog earlier the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan
The exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.


To confirm:






Download binary from IP address 81.95.146.130






Then send your personal data for ID theft to 81.95.147.107



Both 81.95.146.130 and 81.95.147.107 is served by Autonomous System AS 40989 = RBN AS RBusiness Network,


Perhaps more ISPs and users should simply blocklist the whole IP range, in and out?