RBN – The Top 20, fake anti-spyware and anti-malware Tools

In a continuation of the discovery of the RBN’s “Retail Division” one of the most important exploit delivery methods is the fake; anti-spyware and anti-malware for PC hijacking and personal ID theft, this is a source of revenue for the RBN also from a direct sale.

For example, MalwareAlarm is a dangerous fake anti-spyware software and it is an update version of Malware Wiper. MalwareAlarm is stealth based malware, according to McAfee’s Site Advisor they tested 279 “bad” downloads. The methodology is to get the user to use a “free download”, MalwareAlarm then displays a warning message to purchase the paid version of MalwareAlarm, and of course the damage is done with the initial action.

The purpose of this article is to demonstrate the multiplicity of nodes, connections and delivery routes. However, it is a prompt for the community of the need for real-time CYBERINT (see blog here) based blocking and shield services. As is shown below, many are either or both SBL and XBL blacklisted, but this is only the core IP address and not the multiplicity of other mirrored hosts and servers.

There are several well known “RBN retail brands” shown below (Table 1) we show the “Top 20”;

All of these are blacklisted elsewhere in some form, but still highly active at this time, as in any product marketing model some are entering into a mature phase and others are newer variants.. As seen within Table 1, this can produce some confusion, due to the apparent array of domains and IP addresses. Table 2 provides a simplification to the ten actual hosts and servers involved. As is a common theme of this blog again it has to be noted the several major US based servers involved, we hope unwittingly? Also note the potential for MITM “inside the server” website exploits of a further 1 million + web sites. For RBN blocking purposes 4/5 of the below would prevent access by the majority. The RBNetwork - AS 40989, encompasses AS28866 (AKIMON AS Aki Mon Telecom) and AS41173 (SBT AS SBT Telecom) as previously mentioned within this blog.

In answer to a few readers’ queries and one of the major problems with an analysis of the RBN’s activities is “What is the scale of this, how do we quantify?” In Table 3 below shows a limited sample and is provided in this brief form to deliberately demonstrate the numbers. It should be understood that luckily not every site visitor will download the exploits. A simple “Google” of some these examples will show the numerous forum and queries of how to remove the resultant infections. Included is the “Alexa” rank; to demonstrate jellyfish.com an auction site recently acquired by Microsoft, has about the same rank as MalwareAlarm.

As requested there will be a more detailed follow up on this topic, plus the requested RBN IP block information. Also a forthcoming article will shed light on the RBN’s payment and secure data transmissions.