RBN – 76 Service Team, Loads cc, and their location

Although most report the Russian Business Network (RBN) has disappeared, this RBN watch-blog still follows its active domains, its “retail division”. In a follow up to an earlier article on 76 Service, Gozi, hang Up Team and US Hosting, same business just different location and an added common thread.



Fig 1. Common thread – the RBN’s slogan?


76 Service is now 76 Team.com (click on pic to see detail)

Fig2. Current 76 Service user landing page

As we can see although using a new domain it still displays the familiar RBN “76 Service” branding. Just to remind ourselves subscribers to 76 service can log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to, e.g. 3.3 GB one containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.




Loads.cc (click on pic to see detail)

Fig3. Loads.cc – Order page


As reported Loads.cc allows less technically proficient cyber-criminal affiliates to "cash in”, the site provides information on the availability and size of the botnet in real-time. Although it has been seen this method is different from that of other similar schemes, such as 76service whereas Loads.cc allows you to pay to infect computers.







Common Thread?

  • 76 Team (back1.76team. com or bavk1.76team.com) – IP = 208.72.170.189 = AS 26780 MCCOLO - USA
  • Loads.cc – IP = 212.24.53.4 AS 15756 CARAVAN ISP "CARAVAN" Moscow, RU
Although the two sites appear dissimilar we have to dig a little deeper , examine the next two figures


Fig 4 (a) 76 Service / Team Name servers (click on pic to see detail above)



Fig 4 (b) Loads cc Name servers (click on pic to see detail above)



The common thread is in two parts:

  • Loads.cc infects the PCs, 76 Service / Team sells the IDs from those same infected PCs.
  • Also as figs 3 & 4 show the common name servers i.e. orderbox-dns and optical jungle with corresponding IP ranges, both within AS30315 and AS31898. These two domain ranges are part of Resellerclub and Logic boxes, which in turn is owned by Directi.com.


Directi is a very fast growing web hosting and reseller based in India. From its own literature it places a value of $300 million. The slogan in Fig1 is from Directi, and we hope does not reflect the RBN’s constant aim.

Infrastructure:
  • Directi has offices in India and UAE
  • The new Directiplex, being designed by Hafeez Contractor, a $25 million facility with a capacity of 1700 people, will be ready by December 2007
  • Directi has also opening two offices in China - Beijing and Xiamen
  • Directi has partnerships with several datacenters worldwide and operates hundreds of servers worldwide for its various businesses

This blog is not suggesting anything more (at this time) than Directi have joined the ranks of the RBN host / name server “stooges”. Hopefully Directi will respond to the related abuse communications promptly.



Fig5 Directi Ops




It is reasonable to draw the following quantitative conclusions from the above and related:

  1. 76 Service / Team and Loads.cc are synonymous RBN retail operations, working both sides of botnet operations and exploiting personal IDs.
  2. They are both now operational via Indian web space and elsewhere via Directi
  3. The community and this blog as a whole have helped to force the RBN from their own servers, the original 76 Service base within Noc4 Hosts, The Planet, and elsewhere, due to publicity and improved CYBERINT and blocking. This not the time to belive in the demise of the RBN, for historians the first time was in 2004.

References:

Original disclosure on 76 Service Recent article on Loads.cc

Labels: , , ,