RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.


In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to r
espond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.




Document available for download from hostexploit.com


Video of the Exploitation of a PC User - YouTube

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

Further attribution highlighting specific RBN (Russian Business Network) leadership and RBN directed spam botnet observations.



Specific RBN Attribution

The individuals with direct responsibility for carrying out the cyber "first strike" on Georgia is a RBN (Russian Business Network) operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 79.135.167.49. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 79.135.167.49 on July 29th in SBL66533.

Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.

Contribution - James McQuaid


Fig 1 - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet (click to enlarge)


Further spam botnet analysis - Knujon

They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006

80.255.244.19 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008.

85.71.224.34 - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008.

242.3.213.198 = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006

57.83.52.200 = mail5.hostweb.com.mx
1 in Jul 2007

100.192.162.206 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007

16.164.163.212 = dns2.tea-cegos.es
104 in Mar/Apr 2008

5.197.8.212 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006)

118.32.147.216 = adoptolder.org
8 Mar/Apr 2008

165.209.35.217 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)

Mar/Apr 2008 period

mail7.jetblue.com 106
autoliike.com 3
smtp.cablebahamas.net 151
mx4.mardelhosting.net 1
mx1.privatehost.nl 83
34.224.broadband4.iol.cz 5
un-158-235.domainunused.net 31
pool-96-234-41-61.nwrknj.fios.verizon.net 8
123-193-82-34.dynamic.kbronet.com.tw 7
mbox.edmaster.it 90
smtp3.willamette.edu 77
argo.regione.toscana.it 92
msgsrv1.itellium.net 177


Again special thanks to the many community contributions and messages of support of the RBN blog, in our efforts to expose cyber crime and the Russian Business Network. We welcome ongoing observations, send to RBNexploit gmail.com

Refs:

RBN info from James McQuaid his blog here

Spam Botnet analysis Dr. Bob Bruen of Knujon.com.

RBN –Georgia Cyberwarfare – Continuation..

On Friday August 15th and over the weekend another dimension has emerged on tracking RBN (Russian Business Network) server ranges. This concerns a new spam campaign which mocks Georgia's President, purporting to come from the BBC and spreads a new virus. This is very well described by UAB (University of Alabama) Spam Data Mine and on Gary Warner’s blog (see refs below).




The spam loads malware from various locations which in turn actually causes the virus to be delivered from a single location; the IP address: 79.135.167.49. The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Why RBN or rather as in the title of this blog ‘RBN and Related Enterprises’? We have commented on before within the blog (see ref below) - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet - cybercrime hosting - thecanadianmeds.com etc., see Spamhaus’ many Rokso listings (refs below)




This provides a further element associated with Georgia and Mikheil Saakashvili with an ongoing attempt of character assassination. Similar to the linking of the President to Nazi images, as Lenta.ru displayed with one of this blog’s images.






RBN or Cyberwar or not? - Nomenclature

Given this opportunity there has been a great deal of discussion within the community, after the event, as to RBN (Russian Business Network) or not RBN, Cyberwar or Hacktivists, Russian or not………..


Without denigrating this important topic but “What walks like a duck, sounds like a duck, looks like a duck = maybe it’s a ______? (Fill in the blank)”


The cyber attacks against Georgia which first originated from IP space in TTnet Turkish Telekom (as this latest spam incident) were known RBN, and the subsequent server actions, botnet methodology, and tools used were also known RBN: there is no question about the facts, and there is no compelling reason to doubt the implications.


From a popular idiom the movie “The Usual Suspects” used the phrase regarding the arch criminal Keyser Soze – “The greatest trick the Devil ever pulled was to make us believe he does not exist.” This was and still is the RBN’s greatest skill; to avoid detection, use deception and cause most onlookers to consider other suspects, i.e. in this case hacktivists who are easily labeled unsophisticated, uncontrollable, and should be ignored as simpleton fanatics.


This provides a convenient transition to one sided CYBERWAR against Georgia by Russia. Do we really expect Russia, or for that matter any state aggressor to openly announce what methods of warfare they are using. For example there is no specific information from Russian government sources about Russian army actions still underway within Georgia despite the ceasefire. Nor do they inform us the 22nd Guards ObrSpN ‘Spetsnaz’ of Rostov Oblast, may have been operating within Abkhazia, and South Ossetia, dressed in the uniforms of the local militia since mid July 2008, if such an action was the case. Why would we expect them to announce CYBERWAR techniques also being used?


Two good sources of information may assist making a reasonable judgment:

Firstly the political, as Russian State Duma and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:

"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces." – Prediction or intent?


For the strategic a few days ago;
“Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.” As mentioned by Alexander Denezhkin, editor of the Russian journal - Cybersecurity.ru



Finally a reasonable conclusion associated with the nomenclature is to consider the absurdity of treating the cyber criminal and national cyber security problems as a separate matter. Consider if any country had such a successful and existing Internet ‘black ops’ entity as the RBN within its borders, is it not logical that it would utilize or capitalize on such skills?


Perhaps what many find unpalatable is the example from the history of the 20th century where there were similar apologists and we ignored developments in strategy and warfare such as the Blitzkrieg, at a huge later cost. This could be an early example of Russia’s hegemony or controlling its neighbors via an emerging “Cyber Iron Curtain”




Jart Armin - RBNexploit.com



Refs:

UAB Spam Data Mine

UAB Blog

CanadianMeds - Sistemnet - TTnet

Spamhaus (a)

Spamhaus (b)





RBN - Georgia Cyberwarfare – Status and Attribution

The ongoing cyber siege of Georgia by Russian Internet servers is starting to show signs of weakness or rather weaknesses are being exploited.


Just as in “The Great Escape” there are always methods to bypass even the most sophisticated virtual fences.



Fortunately long term study of RBN (Russian Business Network) or Russia’s “FSB Cyber Warriors” techniques assist. Conventionally they are normally adept at trying to hide their true origins. For such a siege on the scale of this one they are openly showing more of their routing than they would like to, which will assist us now and in the future. In this case it helped pin point some obviously forged web sites, which are now offline, and assist in rerouting. Good lessons for future cyber wars.


To our many readers on ‘Lenta.Ru’ we would like to stress we are not anti-Russian. We have Russian based supporters and contributors. However we are anti; cyber criminal, hackers, and cyber war, hopefully Russia will realize this simply restricts all Internet users , including themselves, from the freedom of speech.


There was rightful indignation as the cyber war has extended to where the Russian news agency ‘RIA Novosti ‘was offline by DDos attack for 10 hours over Sunday night and Monday morning.



Georgia – Web Status

Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, AS8359 COMSTAR and with the more recent addition of AS8631 Routing Arbiter for Moscow Internet Exchange, are still in a commanding position. AS9121 TTNet of Turkey still remains routed through the Russian servers, not directly to Georgia. But alternative links have been made to AS35805 UTG AS United Telecom of Georgia and other servers based in Georgia.




Due to this (at this time) the Georgian Foreign Ministry mfa.gov.ge is back online consistently and president.gov.ge is also now online and showing recent announcements. To demonstrate international solidarity, the web site of the President of Poland was also carrying Georgian state communications as a courtesy.




One interesting aspect has been president.gov.ge using a US based name server, which was also offline due to DDos from Thursday and until Monday pm. This could be considered a transgression by the FSB cyber warriors / Russian forces on US soil?


Note: we still show CyberDefcon = level 5



Georgia – Cyberwar Attribution

There has been a great speculation and discussion with regard to attribution. We do not in normal circumstances reveal this level of detail but due to the serious nature of this situation; (click on the diagram below to enlarge)




This is ‘stopgeorgia.ru’ which is also utilizing ‘stopgeorgia.info’ as a redirect; the web site itself provides DDos attack tools for download and as the screen grab shows the mostly .ge web sites as priority for attack. Note; also targeted for attack is the US embassy in Tbilisi.



This web site, as seen before is an open site to attract future FSB cyber warriors. How this is hosted and the domain registration provides more clues:



Stopgeorgia.ru – Hosted by AS36351 Softlayer of Plano Texas, well known as associated with Atrivo / Intercage malware hosting connectivity.



Stopgeorgia.info - Hosted by AS28753 NETDIRECT Frankfurt, DE / AS12578 APOLLO LATTELEKOM APOLLO Latvia.



Sponsoring Registrar: EstDomains, Inc.



Registrant: Domain Manager, Protect Details, Inc, Street1: 29 Kompozitorov St., Saint Petersburg, RU, Phone:+7.8129342271



Hopefully most Internet security observers will recognize the ‘usual suspects’ above?



Special thanks to Richard Stiennon and Cyrus Farivar

RBN – Georgia CyberWarfare - Russian Ground Forces Invade Georgia

Russian Ground Forces Invade Georgia

FOR IMMEDIATE RELEASE Monday, August 11 - 20:20 Tbilisi, Georgia



** UPDATE **
URGENT: Russian Ground Forces Invade Georgia, Georgian Army Retreats to Defend Capital; Government Appeals for Urgent International Intervention

At this hour, the invading army of the Russian Federation has entered Georgian territory outside the conflict zones of Abkhazia and South Ossetia. The Georgian army is retreating to defend the capital. The Government is urgently seeking international intervention to prevent the fall of Georgia and the further loss of life.

"We no longer know the limits of the invading Russian army—Russia seems intent on overthrowing the democratically elected government of Georgia and occupying the country," said Alexander Lomaia, the Secretary of the National Security Council. "As a consequence, the National Security Council has just decided to bring the Georgian army to Tbilisi in order to defend the capital and prevent the fall of Georgia."

European political leaders, including Swedish Foreign Minister Carl Bildt, are in Tbilisi meeting now with the President of Georgia to seek a way to stop the Russian onslaught.

The Government of Georgia announced a unilateral cease fire on Sunday morning, withdrew its forces from South Ossetia, and sued for peace. Despite the ceasefire and withdrawal—and in defiance of outraged international criticism of its invasion of Georgia—Russia is continuing its fierce offensive that has left hundreds of civilians dead and thousands injured.

RBN – Georgia CyberWarfare – Conference Call

Media Alert - President Saakashvili To Brief Reporters Via Teleconference

Mikheil Saakashvili, President of Georgia, to Brief International Media on Latest Developments in Georgia

Monday, August 11, 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET)

Tbilisi, Georgia - Mikheil Saakashvili, President of Georgia, will be giving a briefing for international media via teleconference on Monday, August 11, at 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET).

WHEN: The call will take place on Monday, August 11, at 13:00 Tbilisi Time (11:00 Central European Time, 10:00 UK Time, 05:00 Eastern Standard Time); the call will run for approximately 30 minutes.

HOW TO JOIN THE CALL:

  • To join the call, dial +1.706.679.3044 (internationally) or 877.810.6130 (in the USA)


  • Provide the operator with this conference ID: 59983245


  • While it is not required in order to join the call, please send your name, affiliation, and email address to GeorgiaNSC@gmail.com if you would like to receive any updated information prior to the call.


HOW TO ASK QUESTIONS: Questions to NSC Secretary Lomaia can be posed live during the call; also, they can be sent via email before or after the conference call to: GeorgiaNSC@gmail.com.

FURTHER INFORMATION & INTERVIEWS: For further information, please send an email to GeorgiaNSC@gmail.com.

RBN – Georgia CyberWarfare – Info Update - Sun Aug 10 - 19 00 GMT – 15 00 East Coast

As requested we relay important information from The Ministry of Foreign Affairs of Georgia.



We also provide an important reminder to use caution with any web sites that appear of a Georgia official source but are without any recent news i.e. Sat / Sun, Aug 9/10, as these may be fraudulent. For example check georgiamfa.blogspot.com this is now providing reliable and most recent statements.



FOR IMMEDIATE RELEASE
Sunday, August 10 . 20:30 Tbilisi, Georgia - Ministry of Foreign Affairs of Georgia




Russian Fighter Jets Bomb Tbilisi's Civilian Airport



The Government of Georgia confirms that at 19:00 local time, Russian aircraft bombed the civilian airport in Tbilisi. There is no military activity of any kind at the airport.


The attack occurred several hours after Georgia offered a formal ceasefire to Russia, via Russia's Ambassador to Georgia, and declared Georgia's readiness to immediately start negotiations with the Russian Federation on the termination of hostilities.


The Secretary of Georgia's National Security Commission, Alexander Lomaia released the following statement:


"The attack on Tbilisi Airport offers further evidence that Russia's invasion of Georgia is not about Abkhazia and South Ossetia. The goal of the Russian Federation-which today also blockaded our Black Sea ports and is relentlessly bombing civilian sites throughout the country-is to overthrow the democratically elected government of this small European nation."



The following graphics (please click to enlarge) released today show the extent of the Russian attack on Georgia




Source: Ministry of Foreign Affairs of Georgia - georgiamfa.blogspot.com

RBN - Georgia CyberWarfare – 2 – Sat 16 00 East Coast, 20 00 GMT

Firstly welcome to the many blog readers from “forum.ge”. Allow us to explain what is going on.


You can see and read us, we cannot get to you . Out bound email is also a possible problem so email rbnexploit@gmail.com (if and when you can) to get messages out and we will relay them to their destination.

To explain to everyone else this is a full cyber siege of Georgia’s cyber space:

As an update; within the community, our friends in Germany had managed to pierce the siege and gain a direct routing to Georgia via AS3320 DTAG Deutsche Telekom for a few hours. this afternoon. For the time being AS8359 COMSTAR Direct Moscow region network CJSC COMSTAR Direct Smolenskaya Sennaya Sq, 27 block 2 119121 Moscow, Russia, have intercepted this and are redirecting this route of cyber traffic via their servers. The good news is other German servers are now also attempting to access Georgia servers directly.

We are receiving further offers to help reroute traffic which is underway in an attempt to lift the siege. Further offers are welcome.

For those of a technical nature we show the latest server routing map (see diagram below) which clearly shows the Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, and AS8359 COMSTAR, controlling all traffic to Georgia’s key servers. For example here AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Even the Turkish (often RBN controlled) server AS9121 TTNet is now being blocked via COMSTAR, we understand via colleagues in Istanbul, the Turkish authorities are trying to regain control of these servers and provide direct routing to Georgia.

At this time all Georgia government web sites are unobtainable from US, UK, FR, and DE cyber space, as examples. All blog colleagues elsewhere please contact us if you are able to gain direct web access inbound.


We also relay, as requested, the warning not to depend on any web sites that 'appear' of a Georgia official source, but are without any recent statements i.e. Friday / Saturday Aug 8/9, as these are likely to be fraudulent.


Click on the diagram to enlarge:

RBN - Georgia CyberWarfare

RBN (Russian Business Network) now nationalized, invades Georgia Cyber Space

Sat – 2008 08 09 5:00 EST
(click on figs for larger size)

As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation. Also as much of Georgia’s cyberspace is now under unauthorized external control the following official press statement is circulated without modification. Report on the cyberwar below:

Official Press Statement from the Government of Georgia


Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –


The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.


Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.


In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.


The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence.
Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.



Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital.



For confirmation and current status of the cyberwar:


Example - Nameservers for www.itdc.ge Georgia’s web development enterprise are continuously showing :
* ns1.garse.net returned (SERVFAIL) * ns2.garse.net returned (SERVFAIL)


Two traceroutes to web site mfa.gov.ge - Georgia Foreign Affairs - show:


(a) From US - Ge = Blocked via TTnet Turkey







(b) From Ukraine - Ge = available & slow; note; cached (forged page),now only via redirect through Bryansk Ru



Other Georgia government websites e.g. mod.gov.ge (Ministry of Defense) - president.gov.ge show:

(c) From US - Ge = Blocked via TTnet Turkey





(d) From Ukraine - Ge = Blocked via TTnet Turkey





Internally - several Georgia based servers now only under external routing control e.g. AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Now only available via AS12389 ROSTELECOM AS JSC Rostelecom (Ru) and AS8342 RTCOMM AS RTComm RU Autonomous System (Ru) - servers - Georgia traffic through Deltanet being redirected via TTnet





It should be noted servers; AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian Government. All efforts are being made to regain server control, and International assistance is requested to provide added Internet routing via neutral cyber space.