RBN – Out with the New and in with the Old – Mebroot

The Russian Business Network (RBN) is using one of their usual deceptive approaches of confusing by the use of old domains and recycling exploit techniques, this is the case with Mebroot. There has rightly been a great deal of press (see links below) concerning Mebroot as identified by Symantec on Jan 8th 08. This is a rootkit exploit that overwrites part of a computer's hard drive called the Master Boot Record (MBR). This is still deadly and a difficult exploit with is its ability, once established and undetected it confound most anti-virus software, the purpose is to hijack the user’s PC which will then redirect to download other exploits to steal banking information and ID theft. Good news is there are some straight forward detection and removal tools e.g. GMER – also see on their website a great write up of how a rootkit actually works.

So what is new? Well the exploit sites are now using a fast-flux P2P botnet and the exploit is polymorphic i.e. the ability to alter its form and mutate. But this approach is the same old stuff by a different name, it is: Torpig, Anserin, Gromozon, etc……even using some of the old domains for distribution. So where does the “new” exploit names come from, unfortunately us. Our constant reductionist approach to BadWare is utilized by RBN to confound and we play right into their hands, every time we rename their stuff it makes it easier for them to blend into the confusion. The old is forgotten or not reported and they reuse the old stuff all over again, when we all start using a commonly accepted holistic linguistic approach to the problem, we may win this war.

For details a “small” sample, especially for our Italian Gromozon readers:

This particular example callsolutions(dot)biz is on one of our old friends Pilosoft AS26627, with a bunch of RBN’s “very young” erotic sites sharing the name server – a(dot)ns(dot)joker(dot)com.

As a comparative link, and no RBN blog article would be complete without mention of the RBN’s US division – kopythian(dot)com - Atrivo AS27595; AKA Inhoster, Intercage, and pecb(dot)cc at Atrivo’s Cernal AS36445.

Also just so no-one could say we are picking on Atrivo or where is the RBN link? See the following “joining up the dots” of a very small sample out of 100’s of exploit domains on the same Atrivo name server managedns1.estboxes.com:

2007postcards(dot)com (Storm),
malwareburn(dot)com (rogue anti-virus),
procodec(dot)com (fake codec),
virusheal(dot)com (rogue anti-virus),
xxl-cash(dot)com (RBN payment site) –
plus a cryptic graphic for our readers from the RBN so they know this is not guesswork.

IP figures:

Gmer - anti-rootkit download

Gmer - how a rootkit works

Symantec - Mebroot article

BBC - Mebroot