RBN – Google Search Exploits

The Russian Business Network (RBN) has been busy again with a significant amount of loaded web search results which lead to malware sites as reported by Sunbelt.


The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.


The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts i.e. "double-flux" nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS (domain name server). This provides an additional layer of redundancy and survivability within the malware network as seen in the case of the fake codecs.


This particular web search exploit for the unfortunate end user can be shown as:




From investigation into the actual Trojan downloads this shows the use of the newer undistributed till now edition of MPack which includes a host of exploits including the scam.Iwin, keyloggers, DNS changers, etc. Despite the difficulty of tracking botnet fast-flux usage by detailed investigation of the specific domain name servers the details are as follows, with this information Google and other search engines should easily eliminate such a threat, and hopefully provides law enforcement with further evidence:



1 – The web search “fake” sites.


All researched in this exploit all these fake web search sites emanate from 2dayhost.com an apparent botnet based at AS8001 Net Access Corporation 1719 Route 10 Suite 318 Parsippany, NJ 07054. In the following sample of the domains and name servers involved at this stage: feidqaadppta.cn - igekqzeabkwz.cn - luewusxrijke.cn - zhvmizyycuzz.cn All were registered very recently on Nov 25th 2007 under Name Server: ns1.erik-kartman2.com and Name Server: ns2.erik-kartman2.com – also based at 2dayhost.com / AS8001 Net Access Corporation (please note despite the .cn the domains and registrant have nothing to do with China).


Figure2 – Fake search site map



2 – Victim Reception sites.

As mentioned earlier the “usual suspects” of iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster, are responsible. The following 3 figures show the relationship (click on the pic to see full size):



Figure 3. Victim reception A




Figure 4. Victim reception B



Figure 5. Victim reception C

RBN – Fake Codecs

With the ongoing tracking of “fake” software websites related to the Russian Business Network (RBN) and their associates it is important to note the growth of the fake codec websites. A codec is a small program that's allows an operating system or a program to properly play audio or video in a particular format, e.g. MP3, WAV, Xvid, MPEG, Indeo and Cinepak.









Figure 1. Sample “fake” codec site - Gamecodec.com



This article is cumulative snapshot report based upon current and historical community reporting from; Zlob Watch (peki.blogspot), Sunbelt, and the excellent earlier work of Jahewi's Fake Codec Information (unfortunately last updated Jan 20th 07). The key issues are:


  • Currently shown here (see fig. 2 below) 53 active, with the 60 earlier reported mostly dormant domains (see fig. 3 below) provides for a total of at least 113 “fake” codec web sites operational over an 18 month period. It would appear many of the active domains alternate on a regular basis from being non resolvable (apparently offline) to online.


  • The prime exploits from these sites are (a) Zlob - shows fake error messages and silently installs fake anti-spyware products. (b) DNSChanger silently adds rogue DNS name servers to your PC or Mac. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites. Ref peki.blogspot
Note: We should clarify that the Mac fake codecs are only for the DNS changing trojans and that not all the sites listed will spawn Mac stuff.



  • These exploits are designed for Mac and Windows users; with the attack vector similar to the “fake” anti-spywares however the technique is varied by constantly emerging new domains but mostly to a singular web landing page interface.


  • Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains in fig. 2 are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. For blocking purposes the following IP ranges should be incorporated:

64.28.176.0/20 AS27595 INTERCAGE
85.255.118.0/20 AS27595 INTERCAGE
85.255.112.0/20 AS36445 CERNEL











Figure 4 - Sample IP Map - Zerocodec

RBN – PC Hijacking via Banner-Ads on Major Web Portals

The Russian Business Network (RBN) in one of its boldest PC hijacking exploits used conventional banner-ads to redirect web visitors to “fake” anti-spyware sites, this is a new attack vector but uses known RBN server routes and exploits. Malware based ads have been spotted on various legitimate websites, ranging from baseball's MLB.com, NHL.com, Canada.com and The Economist. Acting as a conventional Flash file, the exploit is via DoubleClick's DART program, DoubleClick acknowledges the malware, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.



How the exploit works, servers and locations (confirm Explabs):

Example for mlb.com ... mlb.com – to - ad.doubleclick.net - to - newbieadguide.com - to - fixthemnow.com - this calls to safetydownload.com for the “fake” download





Example for nhl.com ... nhl.com – to - 2mdn.net -to - ad.doubleclick.net – to - adtraff.com – to -blessedads.com and prevedmarketing.com - to - malware-scan.com, for the “fake” download.







Figure 3 – Secure Hosting Bahamas



As shown above the key servers involved in particular Secure Hosting based in The Bahamas has been utilized on other occasions by RBN. It should also be noted the four specific exploit servers and their AS (Autonomous Server) are:


  • AS15146 Cable Bahamas Ltd. (also AS26855 INTERNET BAHAMAS) - SECUREHOST.COM - IP range involved - 190.15.72.0/21

  • AS29131 RAPIDSWITCH Ltd - London UK - IP range involved - 87.117.192.0/18

  • AS33510 SETUPAHOST - Toronto Canada - IP range involved - 66.244.254.0/24

  • AS41947 WEBALTA / Internet Search Company - Moscow Russia - IP range involved - 77.91.224.0/21

Each of these servers houses many other questionable and other exploit based domains within the same specific IP as those specific domains utilized within this PC hijack exploit, figure 4 – shows those domains which include 23 domains as “fake” anti-spyware or rogue software based upon the same RBN exploits as “Winfixer”, “SpySheriff”, etc.





This important exposure is thanks to excellent CYBERINT work within the community, references:

Explabs - Wired.com - Sunbelt

RBN – Russian Business Network - Faking its demise

Although it is true the Russian Business Network (RBN) as AS40989 RBN AS RBusiness Network has relinquished its IP addresses (not the related ‘peers’), this blog has never shown this as the core centre of RBN activity or particularly relevant to its commercial activity. To simply test the hypothesis of the demise of the RBN as in recent headlines in the press using phrases as “Mother of all cybercrime vanishes from the web”, or “RBN goes Poof” is to simple review one of the RBN’s major money earning retail activity.


HYPOTHESIS = Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.


RESULT = With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

(a) For example; Antivirgear shows a current Alexa Trend/Rank: #5,473 (out of an estimated 60 million web sites) improved over the last month. 397,296 U.S. visitors per month which is 10.7% of its traffic thus visitors worldwide = 3.7 million, this is just one of many ‘fake’ web sites.

(b) It does assist in highlighting the role of Intercage AS 27595 (AKA; Atrivo (US), Inhoster - xbox.dedi.inhoster.com - Ukraine, and Estdomains) as a fundamental part of the RBN from 2004 (see .





For the results Figure 1 shows an overview of the RBN’s / Atrivo share of the ‘fakes’ market. For completeness (click on the images to enlarge);

Figure 2 - shows the complete list of the 57 ‘fakes’ in alphabetical order.

Figure 3 - shows the complete list of the 57 ‘fakes’ ranked to specific hosts / servers.

N.B. – It should be noted the 6 ‘fakes’ listed as offline, this are currently dormant, historically this has happened before and such domains often come back to use.







RBN – 76 Service Team, Loads cc, and their location

Although most report the Russian Business Network (RBN) has disappeared, this RBN watch-blog still follows its active domains, its “retail division”. In a follow up to an earlier article on 76 Service, Gozi, hang Up Team and US Hosting, same business just different location and an added common thread.



Fig 1. Common thread – the RBN’s slogan?


76 Service is now 76 Team.com (click on pic to see detail)

Fig2. Current 76 Service user landing page

As we can see although using a new domain it still displays the familiar RBN “76 Service” branding. Just to remind ourselves subscribers to 76 service can log in, pull down the latest drops, i.e. data deposits from the Gozi-infected machines they subscribed to, e.g. 3.3 GB one containing more than 10,000 online credentials (ID theft) taken from 5,200 PCs.




Loads.cc (click on pic to see detail)

Fig3. Loads.cc – Order page


As reported Loads.cc allows less technically proficient cyber-criminal affiliates to "cash in”, the site provides information on the availability and size of the botnet in real-time. Although it has been seen this method is different from that of other similar schemes, such as 76service whereas Loads.cc allows you to pay to infect computers.







Common Thread?

  • 76 Team (back1.76team. com or bavk1.76team.com) – IP = 208.72.170.189 = AS 26780 MCCOLO - USA
  • Loads.cc – IP = 212.24.53.4 AS 15756 CARAVAN ISP "CARAVAN" Moscow, RU
Although the two sites appear dissimilar we have to dig a little deeper , examine the next two figures


Fig 4 (a) 76 Service / Team Name servers (click on pic to see detail above)



Fig 4 (b) Loads cc Name servers (click on pic to see detail above)



The common thread is in two parts:

  • Loads.cc infects the PCs, 76 Service / Team sells the IDs from those same infected PCs.
  • Also as figs 3 & 4 show the common name servers i.e. orderbox-dns and optical jungle with corresponding IP ranges, both within AS30315 and AS31898. These two domain ranges are part of Resellerclub and Logic boxes, which in turn is owned by Directi.com.


Directi is a very fast growing web hosting and reseller based in India. From its own literature it places a value of $300 million. The slogan in Fig1 is from Directi, and we hope does not reflect the RBN’s constant aim.

Infrastructure:
  • Directi has offices in India and UAE
  • The new Directiplex, being designed by Hafeez Contractor, a $25 million facility with a capacity of 1700 people, will be ready by December 2007
  • Directi has also opening two offices in China - Beijing and Xiamen
  • Directi has partnerships with several datacenters worldwide and operates hundreds of servers worldwide for its various businesses

This blog is not suggesting anything more (at this time) than Directi have joined the ranks of the RBN host / name server “stooges”. Hopefully Directi will respond to the related abuse communications promptly.



Fig5 Directi Ops




It is reasonable to draw the following quantitative conclusions from the above and related:

  1. 76 Service / Team and Loads.cc are synonymous RBN retail operations, working both sides of botnet operations and exploiting personal IDs.
  2. They are both now operational via Indian web space and elsewhere via Directi
  3. The community and this blog as a whole have helped to force the RBN from their own servers, the original 76 Service base within Noc4 Hosts, The Planet, and elsewhere, due to publicity and improved CYBERINT and blocking. This not the time to belive in the demise of the RBN, for historians the first time was in 2004.

References:

Original disclosure on 76 Service Recent article on Loads.cc

RBN – Russian Business Network, Chinese Web Space and Misdirection

There has been recent speculation concerning the Russian Business Network (RBN) and its increasing use of Chinese web space. By way of discussing this topic it is useful to quantitatively view this aspect via a practical example. We can kill 2 birds with one stone and do this via a requested update on “iFrame Cash”.

The iFrame Cash is an active RBN enterprise we call here part of the RBN “Retail Division”. Simply the RBN pays webmasters or small web hosts a commission for planting or injecting IFrame exploits on web sites, this is done via the web site iframedollars.com and others.

Iframedollars has recently changed its IP location as it has done regularly since 2004, joining the dots (NB. Click on the images to see the detail):


1. iframedollars.com

= 58.65.234.17, ns1.iframedollars.com = 58.65.234.17, ns2.iframedollars.com = 58.65.234.18, MX iframedollars.com (mail server) = 58.65.234.17

58.65.234.0/24 = HOSTFRESH Internet Service Provider Pacific Internet (Hong Kong) Limited (Customer Route) REACH (Customer Route) = China?



2. myrdns.com / hostfresh.com

ns1.hostfresh.com = 58.65.238.100, ns2.hostfresh.com = 58.65.238.101

For, myrns.com sharing IP records = us1core.hostfresh.com, jishuqi.cn, shippingnv.com



3. For us1core.hostfresh.com


4. AS27595 = Intercage






So at this time:


(A) iFrame dollars facts ;
Host = Hostfresh, ICANN registrar = Estdomains, IP address changes = 14 (2 years), Who is records = 44 (since 2004). Alexa rank = #605,524 up 62,752 in the last 3 months

(B) Hostfresh facts ;
Host = Myrdns, ICANN registrar – IP address changes = 5 (2 years), Who is records = 233 (since 2004). Alexa rank = # 361,013 up 387,6323 in the last 3 months


(C) Intercage facts:
As reported earlier Intercage = AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), Estdomains, (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for at least 34 of the 40 RBN fakes.


(D) IMPORTANT NOTE;
58.65.239.66 was also one of the 2 domains involved in the Bank of India hack.


In conclusion; 58.65.232.0 - 58.65.239.255 = HOSTFRESH = Hong Kong (PRC) / China?

This is Intercage again, to restate, many forum and other Internet user complaints dating back to 2004, and blacklisted by Spamhaus. However such blacklists are predominately used to block access “from” e.g. spam, we need a CYBERINT system to prevent access to. Currently only systems such as McAfee’s Site Advisor provide a web users guide and this is not perfect.




Also hopefully this example demonstrates that when watching the RBN because an IP address shows a Hong Kong / Chinese / Russian registrant or has Chinese or Russian writing does not mean it is actually based and hosted there.



Simple observation, just assume anything associated with the RBN is based on misdirection in the first place.

RBN – The Russian Business Network Has Closed Shop?

Russian Business Network (RBN) watching requires healthy cynicism and two simple tricks i.e. (1) View their actions as you would an illusionist or as a stage magician, look for the misdirection, (2) Observe a historical perspective.

The good news is the publicity shy RBN does appear to have responded or is being forced to respond to being under the microscope as reported by Brian Krebs of the Washington Post. The bad news is the RBN IP ranges reportedly withdrawn are not the current RBN IP ranges utilized in current exploits. The excellent work of Geoff Huston and his cidr-report provides great information for those interested in the AS (Autonomous Systems) side of the Internet. This shows the following:

Prefixes withdrawn by this origin AS in the past 7 days = AS40989 (RBN)

- 81.95.144.0/22 = Withdrawn

- 81.95.148.0/22 = Withdrawn

- 81.95.154.0/24 = Withdrawn

- 81.95.155.0/24 = Withdrawn

However, as shown here and elsewhere the recent RBN based PDF exploit utilized 81.95.146.130 and 81.95.147.107, further many of the RBN “fake” anti-spyware and anti-malware websites use 81.95.145.186 as one of the many Internet “name servers”. Therefore one can only conclude

- 81.95.145.0/22 = Still active

- 81.95.146.0/22 = Still active

- 81.95.147.0/22 = Still active

Historically there have been many welcome reports of the demise of the RBN and their acolytes stretching back to 2004. Without any political bias it is reminiscent of being told the war in Iraq, is over circa 2003. To maintain a focused watch on the RBN as an organically growing organization is one of the main reasons a few of us created this blog in 2007.

This blog can only repeat the RBN as an organization uses many; guises, name servers, routes, stooges, etc., to operate under the radar and confuse. The excellent recent publicity through the many blogs, e-zines, and newspapers currently must only assist in gaining the necessary attention required. If only for the current 4 million plus and growing Internet users who will visit the RBN fake sites this month, and the many more who will suffer due to iFrame injections, Mpack and more. It is appropriate for a cynical view of any RBN related actions, and even more importantly maintain our vigilance.

There will be a detailed follow up article which will show a current example of the RBN and the "apparent" use of Chinese web space.

RBN - Fake Tools, Rogue software, Bank of India, PDF, and more – the common thread (3 of 3)


This blog primarily uses a quantitative organizational analysis as its core approach in the study of the Russian Business Network (RBN). To study a "soft" organization as the RBN look for; interaction with external entities, behavioral patterns, history of quantifiable actions, and common threads, with the aim to reduce the complexity the RBN hides behind. In the third in the series on the RBN “fake” or “rogue software” to begin - figure 1 demonstrates this simplicity.




From article 2 of 3 we were able to demonstrate at least 40 of about 57 well known fake anti-spyware / anti-malware / rogue software products originated from RBN sources. Also it is known the RBN was behind other recently publicized events such as; Bank of India hack, PDF exploit, so what is the common thread?

Firstly let us highlight a few key RBN “retail” exploit delivery methods:

a. Gozi/Ursnif/Snifula trojans = 76service, PDF exploit, etc.

b. Trojan Zlob + = Malware Alarm, AntiVirGear, etc.

c. iFrame = iFrame Cash, Bank of India etc.

To target the RBN (figure1) we compare the delivery methods with specific organizational elements, for simplicity it is based upon the AS (Autonomous System -- A collection of routers under a single administrative authority):

RBN (AS 40989) – Source and destination of a majority of RBN fakes, PDF exploit and the Bank of India Hack.


Estdomains (AS 27595) – The domain registration and has its own hosting for the majority of the RBN fakes, also X-TRAFFIC.BIZ was also one of the key domains used in the Bank of India hack, within Intercage.




Intercage (AS 27595) - AKA; Inhoster (xbox.dedi.inhoster.com - Ukraine), Atrivo (US), (Note: also interestingly Broadwing Communications a backbone internet operation now owned by Level 3 Communications, Inc - NASDAQ: LVLT- appears to be the core mail carrier and mirrored hosting for AS 27595). This hosts or acts as a name server for 34 of the 40 fakes, but also does carry IP address 58.65.239.66 also one of the 2 domains involved in the Bank of India hack.




The “5” stooges – are alternative hosts or carriers of many of RBN fakes and other RBN exploits. To be charitable it could be said these are just being duped, however noting the many complaints within security forums and blogs over some time this blog is not inclined to be charitable, they are:

CRONOS - AS 42773 (Latvia)

GLOBALTRADE - AS 39634 (RU)

PILOSOFT - AS 26627 (US)

STARHUB - AS 4657 (Singapore)

TIMEDOTCOM - AS9930 (Malaysia)


In conclusion:

It is important to recognize the scale of the RBN fakes i.e. over 4 million internet visitors per month

The same RBN organizational structure is responsible for a majority of the major internet and PC security threats and exploits seen over recent times, e.g. Bank of India hack, PDF spam exploit, Mpack, etc.

The “stooges” and other server operations that even unknowingly house RBN operations should act to prove they are not working in tandem with the RBN, not vice-versa.

For example this blog is housed by Blogger which is Google. As any organization does the RBN has elements which are not titled RBN, written in Russian, or physically based in St. Petersburg. So let us commence to be realistic i.e. AS 27596 - Intercage, Estdomains, et. al - IS A FUNDEMENTAL PART OF THE RBN!


References:

These 3 articles could not have been possible without the information, feedback and encouragement of many, in particular:

Dancho Danchev - Scott Berinato and Don Jackson - Symantec - McAfee’s Site Advisor -
Spyware Warrior - ISC Sans - ZDNet



Appx - Final list of the 57 fakes / rogue software- 40 specific RBN studied, 17 other lesser fakes;


RBN Top 40:
adprotect.com
adwareremover2007.com
antispyzone.com
antivermins.com
antiverminser.net
antiverminspro.net
antivirgear.com
antivirusgold.com
antivirusgolden.com
bravesentry.com
drives-cleaner.com
eprotectpage.com
magicantispy.com
malware-alarm.com
malwarealarm.com
malwarewipe.com
sigmacode.biz
spyaxe.biz
spydawn.com
spyheal.com
spylocked.com
spysheriff.com
spy-shredder.com
spyshredderscanner.com
spytrooper.com
spywall.net
spywarequake.com
thecleanersystem.com
thesafebar.com
thespyguard.com
virusburst.com
virusheal.com
virusprotectpro.biz
virusprotectpro.com
virusray.com
virusrescue.com
wildgadgets.biz
windowsafesurf.com
xmalwarealarm.com
xspy-shredder.com



Other 17:
1stantivirus.com
Adwarebazooka.com
adwaredelete.com
Adwarepunisher.com
Anti-virus-pro.com
Hitvirus.com
Innovagest2000.com
pesttrap.com
razespyware.net
Remedyantispy.com
Spycontra.com
spycut.com
Spydeface.com
spydemolisher.com
Spyiblock.com
spywareno.com
Virushammer.com