RBN – Google Search Exploits

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.

The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.

The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.

This particular web search exploit for the unfortunate end user can be shown as:

From investigation into the actual Trojan downloads this shows the use of the newer undistributed till now edition of MPack which includes a host of exploits including the scam.Iwin, keyloggers, DNS changers, etc. Despite the difficulty of tracking botnet fast-flux usage by detailed investigation of the specific domain name servers the details are as follows, with this information Google and other search engines should easily eliminate such a threat, and hopefully provides law enforcement with further evidence:

1 – The web search “fake” sites.

All researched in this exploit all these fake web search sites emanate from 2dayhost.com an apparent botnet based at AS8001 Net Access Corporation 1719 Route 10 Suite 318 Parsippany, NJ 07054. In the following sample of the domains and name servers involved at this stage: feidqaadppta.cn - igekqzeabkwz.cn - luewusxrijke.cn - zhvmizyycuzz.cn All were registered very recently on Nov 25th 2007 under Name Server: ns1.erik-kartman2.com and Name Server: ns2.erik-kartman2.com – also based at 2dayhost.com / AS8001 Net Access Corporation (please note despite the .cn the domains and registrant have nothing to do with China).

Figure2 – Fake search site map

2 – Victim Reception sites.

As mentioned earlier the “usual suspects” of iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster, are responsible. The following 3 figures show the relationship (click on the pic to see full size):

Figure 3. Victim reception A

Figure 4. Victim reception B

Figure 5. Victim reception C