RBN - Fake Tools, Rogue software, Bank of India, PDF, and more – the common thread (3 of 3)


This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.




From article 2 of 3 we were able to demonstrate at least 40 of about 57 well known fake anti-spyware / anti-malware / rogue software products originated from RBN sources. Also it is known the RBN was behind other recently publicized events such as; Bank of India hack, PDF exploit, so what is the common thread?

Firstly let us highlight a few key RBN “retail” exploit delivery methods:

a. Gozi/Ursnif/Snifula trojans = 76service, PDF exploit, etc.

b. Trojan Zlob + = Malware Alarm, AntiVirGear, etc.

c. iFrame = iFrame Cash, Bank of India etc.

To target the RBN (figure1) we compare the delivery methods with specific organizational elements, for simplicity it is based upon the AS (Autonomous System -- A collection of routers under a single administrative authority):

RBN (AS 40989) – Source and destination of a majority of RBN fakes, PDF exploit and the Bank of India Hack.


Estdomains (AS 27595) – The domain registration and has its own hosting for the majority of the RBN fakes, also X-TRAFFIC.BIZ was also one of the key domains used in the Bank of India hack, within Intercage.




Intercage (AS 27595) - AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for 34 of the 40 fakes, but also does carry IP address 58.65.239.66 also one of the 2 domains involved in the Bank of India hack.




The “5” stooges – are alternative hosts or carriers of many of RBN fakes and other RBN exploits. To be charitable it could be said these are just being duped, however noting the many complaints within security forums and blogs over some time this blog is not inclined to be charitable, they are:

CRONOS - AS 42773 (Latvia)

GLOBALTRADE - AS 39634 (RU)

PILOSOFT - AS 26627 (US)

STARHUB - AS 4657 (Singapore)

TIMEDOTCOM - AS9930 (Malaysia)


In conclusion:

It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month

The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc.

The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa.

For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!


References:

These 3 articles could not have been possible without the information, feedback and encouragement of many, in particular:

Dancho Danchev - Scott Berinato and Don Jackson - Symantec - McAfee’s Site Advisor -
Spyware Warrior - ISC Sans - ZDNet



Appx - Final list of the 57 fakes / rogue software- 40 specific RBN studied, 17 other lesser fakes;


RBN Top 40:
adprotect.com
adwareremover2007.com
antispyzone.com
antivermins.com
antiverminser.net
antiverminspro.net
antivirgear.com
antivirusgold.com
antivirusgolden.com
bravesentry.com
drives-cleaner.com
eprotectpage.com
magicantispy.com
malware-alarm.com
malwarealarm.com
malwarewipe.com
sigmacode.biz
spyaxe.biz
spydawn.com
spyheal.com
spylocked.com
spysheriff.com
spy-shredder.com
spyshredderscanner.com
spytrooper.com
spywall.net
spywarequake.com
thecleanersystem.com
thesafebar.com
thespyguard.com
virusburst.com
virusheal.com
virusprotectpro.biz
virusprotectpro.com
virusray.com
virusrescue.com
wildgadgets.biz
windowsafesurf.com
xmalwarealarm.com
xspy-shredder.com



Other 17:
1stantivirus.com
Adwarebazooka.com
adwaredelete.com
Adwarepunisher.com
Anti-virus-pro.com
Hitvirus.com
Innovagest2000.com
pesttrap.com
razespyware.net
Remedyantispy.com
Spycontra.com
spycut.com
Spydeface.com
spydemolisher.com
Spyiblock.com
spywareno.com
Virushammer.com