This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.
From article 2 of 3 we were able to demonstrate at least 40 of about 57 well known fake anti-spyware / anti-malware / rogue software products originated from RBN sources. Also it is known the RBN was behind other recently publicized events such as; Bank of India hack, PDF exploit, so what is the common thread?
Firstly let us highlight a few key RBN “retail” exploit delivery methods:
a. Gozi/Ursnif/Snifula trojans = 76service, PDF exploit, etc.
b. Trojan Zlob + = Malware Alarm, AntiVirGear, etc.
c. iFrame = iFrame Cash, Bank of India etc.
To target the RBN (figure1) we compare the delivery methods with specific organizational elements, for simplicity it is based upon the AS (Autonomous System -- A collection of routers under a single administrative authority):
RBN (AS 40989) – Source and destination of a majority of RBN fakes, PDF exploit and the Bank of India Hack.
Estdomains (AS 27595) – The domain registration and has its own hosting for the majority of the RBN fakes, also X-TRAFFIC.BIZ was also one of the key domains used in the Bank of India hack, within Intercage.
Intercage (AS 27595) - AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for 34 of the 40 fakes, but also does carry IP address 22.214.171.124 also one of the 2 domains involved in the Bank of India hack.
The “5” stooges – are alternative hosts or carriers of many of RBN fakes and other RBN exploits. To be charitable it could be said these are just being duped, however noting the many complaints within security forums and blogs over some time this blog is not inclined to be charitable, they are:
CRONOS - AS 42773 (Latvia)
GLOBALTRADE - AS 39634 (RU)
PILOSOFT - AS 26627 (US)
STARHUB - AS 4657 (Singapore)
TIMEDOTCOM - AS9930 (Malaysia)
It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month
The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc.
The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa.
For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!
These 3 articles could not have been possible without the information, feedback and encouragement of many, in particular:
Appx - Final list of the 57 fakes / rogue software- 40 specific RBN studied, 17 other lesser fakes;
RBN Top 40: