Further attribution highlighting specific RBN (Russian Business Network) leadership and RBN directed spam botnet observations.Specific RBN Attribution
The individuals with direct responsibility for carrying out the cyber "first strike" on Georgia is a RBN (Russian Business Network) operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).
Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.
Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.
According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 79.135.167.49. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 79.135.167.49 on July 29th in SBL66533.
Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.
Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.
Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.
According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 79.135.167.49. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 79.135.167.49 on July 29th in SBL66533.
Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.
Contribution - James McQuaid
Fig 1 - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet (click to enlarge)Further spam botnet analysis - Knujon
They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006
80.255.244.19 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008.
85.71.224.34 - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008.
242.3.213.198 = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006
57.83.52.200 = mail5.hostweb.com.mx
1 in Jul 2007
100.192.162.206 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007
16.164.163.212 = dns2.tea-cegos.es
104 in Mar/Apr 2008
5.197.8.212 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006)
118.32.147.216 = adoptolder.org
8 Mar/Apr 2008
165.209.35.217 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)
Mar/Apr 2008 period
mail7.jetblue.com 106
autoliike.com 3
smtp.cablebahamas.net 151
mx4.mardelhosting.net 1
mx1.privatehost.nl 83
34.224.broadband4.iol.cz 5
un-158-235.domainunused.net 31
pool-96-234-41-61.nwrknj.fios.verizon.net 8
123-193-82-34.dynamic.kbronet.com.tw 7
mbox.edmaster.it 90
smtp3.willamette.edu 77
argo.regione.toscana.it 92
msgsrv1.itellium.net 177
Again special thanks to the many community contributions and messages of support of the RBN blog, in our efforts to expose cyber crime and the Russian Business Network. We welcome ongoing observations, send to RBNexploit gmail.com
Refs:
RBN info from James McQuaid his blog here
Spam Botnet analysis Dr. Bob Bruen of Knujon.com.
